🎈 Welcome to the Marketplace — Explore and discover the ecosystem around DatoCMS, and share your own work with the community!
Azure Active Directory Enterprise integration
Automatically provision and (most importantly) deprovision DatoCMS users using your centralized Azure account

Automatic user provisioning is supported for the DatoCMS application.

This enables Microsoft Azure Active Directory to:

  • Add new users to DatoCMS
  • Update users’ profile information in DatoCMS
  • Deactivate users in DatoCMS
  • Push groups and memberships to DatoCMS

Table of Contents

Features

The following provisioning features are supported:

  • Create User - Creating a new user in Azure AD and assigning them to the DatoCMS application will create a new user in DatoCMS.
  • Update User Attributes - Updates to a user in Azure AD will be pushed to DatoCMS.
  • Deactivate Users - Deactivating the user or disabling the user's access to DatoCMS within Azure AD will deactivate the user in DatoCMS.
  • Reactivate Users - User accounts can be reactivated from Azure AD.
  • Push Groups - Groups created in Azure AD can be pushed to DatoCMS. Attributes pushed include name and group members.
  • Delete Groups - Groups deleted or removed from the DatoCMS application within Azure AD will be deleted within DatoCMS.

Prerequisites

  • Single Sign-On is only available for Enterprise plans.

Configuration Steps

Inside your Microsoft Azure dashboard search for Azure Active Directory and enter the service:

Enter the Enterprise Applications section, then click the New Application button:

Select Non-gallery application:

Name your application DatoCMS and click the Add button:

Enter the Single Sign-On section:

Select SAML as single sign-on method:

Now click the small Edit button in the Basic SAML Configuration box:

Fill in the following information:

  • Identifier (Entity ID): https://sso.datocms.com/<YOUR_SAML_TOKEN>/saml/metadata
  • Reply URL (Assertion Consumer Service URL): https://sso.datocms.com/<YOUR_SAML_TOKEN>/saml/consume
  • Sign on URL (optional): https://sso.datocms.com/<YOUR_PROJECT_ID>/saml/init

Make sure to replace <YOUR_SAML_TOKEN> with the SAML Token present in the Settings > Single Sign-On > Settings section of your DatoCMS project:

Now move into the Provisioning section, and click the Get started button:

Within the Settings > Single Sign-On > Settings section of your DatoCMS project, click the SCIM Settings > API Token button:

Copy the resulting API token:

Fill in the following information:

Then click the Save button:

Go back to the Single Sign-On section, and copy the App Federation Metadata Url...

...and paste it into the DatoCMS Identity Provider SAML Metadata URL field:

Make sure to also specify the default role editors will be assigned to (learn more about this field in the "Mapping Azure AD groups to DatoCMS roles" section below):

Press the Save settings button in DatoCMS.

Mapping Okta groups to DatoCMS roles

In the Groups section in DatoCMS, you can now assign a specific role to each Group. For each group, assign the role with the same name:

Once you've configured a role for every group, the following rules will apply:

  • The group's role will be applied to to every user belonging to it;
  • In case a user belongs to multiple groups, the first group in the list will be the one to win. You reorder groups with drag&drop to customize their priorities;

In case a user does not belong to any group, the default role specified in the SSO Settings will be used:

SAML User Attributes & Claims

DatoCMS recognizes the following claims for users (any other claim will be ignored):

Attribute Mapping

DatoCMS recognizes the following attributes for users (any other attribute will be ignored):

Support and Troubleshooting

For any issues, please contact our support to get customized help.

Azure Active Directory
Provision/deprovision users using your Microsoft Azure AD account
Publisher
Author gravatarDatoCMS
First released
March 12th, 2019