Enable Azure Active Directory SSO

Configure Tanzu CloudHealth to authenticate your users via Azure Active Directory.

As an alternative to username-password-based authentication, Tanzu CloudHealth allows single sign-on (SSO). You can authenticate your users via Azure Active Directory.

There are two procedures depending on whether you are using FlexOrgs to manage your organizations:

Note

Tanzu CloudHealth does not support mixed-mode authentication. Once you configure Azure AD SSO in the Tanzu CloudHealth Platform, you can only invite users through that IdP. You will no longer be able to send user invitations through the Tanzu CloudHealth Platform.

Prerequisite

You are assigned a Global Administrator role in the Active Directory that you want to use for authenticating your users.

Enable Azure AD SSO for FlexOrgs

How Dynamic Mapping Works

In FlexOrgs, you can dynamically map users to user groups based on SSO attributes. You specify the attributes in your Identity Provider (IDP).

This capability allows you to centrally manage users in your IDP. When you change their attributes, users are mapped to different user groups with new permissions.

Note

If you do not want to map users to user groups dynamically, you can invite users manually.

Step 1: Specify SSO Attributes in User Group Definition

Before you attach attributes for mapping users in your IDP, specify the key-value pair that the user group should look for in the IDP assertion.

In the Tanzu CloudHealth Platform, from the left menu, select Setup > Admin > User Groups > New User Group.
In the Details tab, provide the following information:
- Name
- (Optional) Description for the user group
- Key-value pairs attached as IDP assertions to user profiles that are associated with this user group. Note: If multiple SSO values are defined for an SSO key, the users are mapped to the user group if they match either value.
Specify the SSO Key as groups. Specify SSO Values as the Azure AD group names that you want to associate with the User Group.
In the Members tab, click Add Members. Select the users to include in the user group. Note: Skip this step if you are using SSO key-value pairs to map users to user groups.
In the Assignment tab, add one or more role documents to the user group. For each role document, select the OU in which it is applicable. Multiple role documents can be assigned to a single OU, creating an overlapping tapestry of permissions.

Step 2: Create Group and Assign Users in Azure Portal

Create a group and add members in Azure Active Directory. For help creating a group and adding members, see the Microsoft Azure Active Directory documentation.
When creating the new group, complete the New Group form as follows:
- Group Type: Select Security from the dropdown.
- Group Name: Enter the SSO value that was entered in the previous step.
- Group Description: Enter a role description.
- Membership Type: Select Assigned from the dropdown.

Step 3: Configure Azure AD SSO in Tanzu CloudHealth Platform

In the Tanzu CloudHealth Platform, select Setup > Admin > SSO Configuration.
From the SSO Provider dropdown, select Azure AD and provide the following information:
- Role Passing: Select how roles are passed to Tanzu CloudHealth.
- Default Organization: Select the organization to which all new users should be assigned.

Step 4: Configure Session Length for Users (Optional)

You can configure the session length for your users in the Tanzu CloudHealth Platform. The default session length is Until the browser closes. However, the best practice is to specify a shorter length, which is measured from the time the user was last active, not from the time the user last logged in.

In the Tanzu CloudHealth Platform, select Setup > Admin > Settings.
On the Edit Customer tab, go to the Settings pane.
Select a session length.
Click Update Company Profile.

Enable Azure AD SSO for Classic Organizations

Step 1: Identify Tanzu CloudHealth Roles

By default, Tanzu CloudHealth provides three roles for Active Directory SSO:

Standard User
Power User
Administrator

To review the privileges assigned to each role, go to Setup > Admin > Roles in the Tanzu CloudHealth Platform and click the View icon for each role.

If your organization has users whose role does not match any of the default roles, create a custom role as follows:

In the Tanzu CloudHealth platform, from the left menu, select Setup > Admin > Roles > New Role.
Name the role and assign the privileges it provides.

Result: Tanzu CloudHealth generates an IDP Name for the role.

The IDP Name varies depending on the string you enter in the Name field for the Role. For example:

Role Name	IDP Name
Finance	`cloudhealth-finance`
Sales and Marketing	`cloudhealth-sales-and-marketing`
EngDept	`cloudhealth-eng_dept`

Step 2: Create Group and Assign Users in Azure Portal

Create a group and add members in Azure Active Directory. For help creating a group and adding members, see the Microsoft Azure Active Directory documentation.
When creating the new group, complete the New Group form as follows:
- Group Type: Select Security from the dropdown.
- Group Name: Enter the IDP name Tanzu CloudHealth generated in the previous step.
- Group Description: Enter a role description.
- Membership Type: Select Assigned from the dropdown.

Step 3: Configure Azure AD SSO in Tanzu CloudHealth Platform

In the Tanzu CloudHealth Platform, select Setup > Admin > SSO Configuration.
From the SSO Provider dropdown, select Azure AD and provide the following information:
- Role Passing: Select how roles are passed to Tanzu CloudHealth.
- Default Organization: Select the organization to which all new users should be assigned.

Step 4: Configure Session Length for Users (Optional)

In the Tanzu CloudHealth Platform, select Setup > Admin > Settings.
On the Edit Customer tab, go to the Settings pane.
Select a session length.
Click Update Company Profile.