This guide explains how to configure group mapping for Tyk Dashboard access using Azure Active Directory (Azure AD). By leveraging Azure AD roles, you can map users to predefined groups in Tyk, enabling permissions management based on group assignments.
Prerequisite
Before proceeding, ensure you have set up SSO login functionality for the Tyk Dashboard using OpenID with Azure AD. Refer to the Login into the Dashboard using Azure AD - Guide for an end-to-end example of how to configure Azure AD and Tyk Identity Broker.
Step 1: Configure Roles in Azure AD
1. Define Roles in Azure AD
To map Azure AD roles to Tyk groups:
- Navigate to Azure AD > App Registrations > [Your App] > App roles.
- Create two app roles:
- Admin: For administrative access.
- RO-Group: For read-only access.
2. Assign Users or Groups to Roles
- Navigate to Azure AD > Enterprise Applications > [Your App] > Users and Groups.
- Assign users or groups to the roles you just created.
Step 2: Configure Tyk for Group Mapping
Here is an example of a Tyk Identity Broker (TIB) profile with Azure AD role mapping configured. This setup ensures that Tyk directs users to the appropriate Tyk group based on their Azure AD role.
TIB Profile Configuration Example
{
"ID": "openid-demo-two",
"Name": "",
"OrgID": "663a956f3b36d600018d05d7",
"ActionType": "GenerateOrLoginUserProfile",
"MatchedPolicyID": "",
"Type": "redirect",
"ProviderName": "SocialProvider",
"CustomEmailField": "",
"CustomUserIDField": "",
"ProviderConfig": {
"CallbackBaseURL": "https://<enter-your-dashboard>/",
"FailureRedirect": "https://<enter-your-dashboard>/?fail=true",
"UseProviders": [
{
"DiscoverURL": "https://login.microsoftonline.com/<Your Directory (tenant) ID>/v2.0/.well-known/openid-configuration",
"Key": "2774a44e-5a2c-422b-b236-7413b0b4237e",
"Name": "openid-connect",
"Scopes": [
"openid",
"email"
],
"Secret": "R5U8Q~ifVzD1o3nju3RqxxS5-mrScRivVZS_WdxG",
"SkipUserInfoRequest": false
}
]
},
"IdentityHandlerConfig": {
"DashboardCredential": ""
},
"ProviderConstraints": {
"Domain": "",
"Group": ""
},
"ReturnURL": "https://<enter-your-dashboard>/tap",
"DefaultUserGroupID": "6679e9caa24fef00012048bd",
"CustomUserGroupField": "roles",
"UserGroupMapping": {
"admin": "6679ea7da24fef00012048be",
"ro-group": "6679e9caa24fef00012048bd"
},
"UserGroupSeparator": "",
"SSOOnlyForRegisteredUsers": false
}
Key Configuration Notes
-
Scopes: Ensure the
email
scope is included. This is required for Tyk to assign users to the correct group. -
CustomUserGroupField: The value must be set to
"roles"
. This ensures that Tyk reads the user roles provided by Azure AD to determine group assignments. - DefaultUserGroupID: Defines the default group for users without a mapped role.
-
UserGroupMapping: maps Azure AD roles (such as "admin" and "ro-group") to specific Tyk groups. In this example, the "admin" and "ro-group" roles are the group names provided by the IDP, while the IDs
6679ea7da24fef00012048be
and6679e9caa24fef00012048bd
represent the corresponding Tyk group IDs you’ve already created. This configuration ensures that users are automatically assigned to the correct Tyk groups based on their Azure AD roles, granting them the appropriate permissions.
Conclusion
By setting up group mapping in Azure AD and Tyk, you can streamline and enhance access management for the Tyk Dashboard. This configuration ensures that users are automatically mapped to the correct Tyk groups based on their Azure AD roles, granting them the appropriate permissions.
Comments
0 comments
Please sign in to leave a comment.