Azure Active Directory
Snow Atlas supports configuring Azure Active Directory (AD) as a single sign-on (SSO) provider.
Description
The Snow Atlas Azure AD single sign-on application registration is configured as multi-tenant OpenID Connect (OIDC). The configuration options are already set with the permissions and settings required to function with Snow Atlas. You can also configure items such as user and access group assignments, as well as any Conditional Access policies that you want to apply to this registration.
Supported features
ServiceProvider (SP) initiated SSO when you attempt to sign in from Snow Atlas
User provisioning to create the user on first sign in when enabled in Snow Atlas
Requirements
The user is an Azure AD administrator.
The user is a Snow Atlas system administrator.
Application permissions
The following permissions are already set in the Snow Atlas Azure AD single sign-on application registration:
Scope permission | Description |
|---|---|
| Retrieves basic profile information about a user that is mapped to the user's profile in Snow Atlas |
| A user's primary email address that is used to sign in to Snow Atlas and as contact information |
| The Microsoft Graph scope for the user's read group membership that is used to map groups to Snow Atlas permissions. This is for future group synchronization and will only be queried if the feature is configured. |
| The Microsoft Graph scope for reading user information. This scope is implicitly required by |
Configuration required
You are required to configure your Azure AD for Snow Atlas.
Note
The user must have the email claim set in Azure AD. It is insufficient to set the User principal name.
You require the relevant Azure AD tenant ID for your organization's Azure portal. For more information, see Find Azure Active Directory tenant ID.
You must also consent to the application permissions required by Snow Atlas for Azure AD SSO. For more information, see Consent to Azure Active Directory SSO permissions.
Claim mappings
The Azure AD given_name and family_name properties are mapped to the equivalent properties in Snow Atlas if they are not already populated.