Map Azure AD groups to Portworx Backup roles
This topic explains how you can map groups in Entra ID (Azure AD) to roles of Portworx Backup users so that when users login they will be automatically tagged with the required role.
To map Entra ID (Azure AD) groups to Portworx Backup roles:
-
In Entra ID (Azure AD), select App registrations > All applications tab > pxbackup application.
-
In the pxbackup application page, select Manifest from the left pane. Modify the
groupMembershipClaims
parameter value fromnull
to“All”
. -
In Portworx Backup, create roles to map to groups in Azure AD. For more information about creating roles in Portworx Backup, refer to the Add roles procedure.
-
Login to Keycloak using administrator credentials.
-
Select Identity Providers from the left pane, and from the list, select Edit on an Identity Provider.
-
In the selected Identity Provider page > Settings tab, select
force
from the Sync Mode dropdown list, and click Save. -
Select the Mappers tab > Create.
-
In the Add Identity Provider Mapper page, specify the following values:
-
Name: Enter a role name (consistent with the role name created in Portworx Backup).
-
Sync Mode Override:
force
-
Mapper Type:
Claim to Role
-
Claim:
groups
-
Claim Value: The group id to map, which you get in the Azure AD group.
-
Role: The role that user needs to be assigned.
-
-
Click Save.
Perform steps 7 and 8 to map more Portworx Backup roles in Azure AD.