Configuring Microsoft Entra ID For SSO
DataGrail supports two configurations for Entra ID SSO. You only need to choose one.
| Configuration | Best For | Roles Managed In |
|---|---|---|
| Standard Configuration | Most customers. | DataGrail |
| Group Provisioning | Large organizations. | Entra ID |
Standard Configuration
This section documents the standard configuration for Entra ID as an identity provider to support log in to the DataGrail app. With this configuration, user roles must be managed within DataGrail.
Persons Needed to Complete Configuration: IT Person from your organization
- Log in to Microsoft Entra ID as an admin.
- Add a new Enterprise Application and select Create your own application. Enter a name and create the application.
- In the newly created application, select Single sign-on and then SAML.
- Under Basic SAML Configuration, select Edit (pencil) to configure the SAML application.
SAML Configuration
Identifier (Entity ID): datagrail
Reply URL: https://<subdomain>.datagrail.io/saml/auth
Sign on URL: https://<subdomain>.datagrail.io/saml/login
<subdomain> should be replaced with the subdomain configured for your DataGrail account. For example, if you log in to DataGrail at yourcompanyname.datagrail.io, your subdomain is yourcompanyname.
If you are unclear on what your subdomain would be, please confirm with your Account Manager or reach out to support@datagrail.io.
- Navigate to User Attributes & Claims and add the following claims.
Required Claims
Claim 1:
- Name:
email - Source:
Attribute - Source attribute:
user.mail
Claim 2:
- Name:
first_name - Source:
Attribute - Source attribute:
user.givenname
Claim 3:
- Name:
last_name - Source:
Attribute - Source attribute:
user.surname
- Under SAML Signing Certificate, select Copy next to App Federation Metadata URL.
- Send the metadata URL to DataGrail at support@datagrail.io. We will complete the configuration.
For more information on adding users and managing roles, see Inviting New Users.
Group Provisioning
The Group Provisioning functionality is best for advanced users that would like to provision roles automatically based on group assignments within Entra ID. You cannot manage user roles within DataGrail using this configuration.
Persons Needed to Complete Configuration: IT Person from your organization
Creating the Entra ID App
The process for creating the Entra ID app is identical to the Standard Configuration steps.
- Complete the Standard Configuration steps to create the Entra ID application and configure attribute statements.
Determining Group Mappings
In order to utilize the Group Mapping functionality, mappings between the Entra ID groups and DataGrail roles must be configured on the DataGrail side.
- Review DataGrail Roles and Permissions.
- Determine what DataGrail roles you want to map to your Entra ID groups. You can have multiple Entra ID groups map to the same DataGrail role.
- Once you have established your mappings, please send them support@datagrail.io to be configured.
Configuring Attribute Statements
Once DataGrail support confirms the mappings have been set, the attribute statements can now be configured within Entra ID:
- Navigate to the newly created DataGrail application in Entra ID.
- Select Single Sign On configuration, and then select User Attributes & Claims.
- Select Add a group claim and then All groups.
- Under Advanced options, select Customize the name of the group claim and use
rolesfor name. - Additionally, check Emit groups as role claims.
- Check Filter Groups and configure a filter to ensure only the DataGrail groups you have defined are emitted.
- Save the application.
For more information on managing group claims with Entra ID, see their documentation here.
Please visit Inviting New Users for more instructions on adding users and managing roles.
Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.