🎈 Welcome to the Marketplace — Explore and discover the ecosystem around DatoCMS, and share your own work with the community!

Azure Active Directory⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺⁢𝅸⁡⁢‍𝅹⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍𝅺⁠⁣𝅴⁡⁣𝅺⁡‍‍𝅺𝅴⁡⁣⁠𝅸⁠𝅺⁡⁣⁡𝅴⁡​⁠⁡⁢‍𝅺⁢𝅳⁢‌⁢​⁢𝅴⁢‌⁢⁠‍𝅺𝅴⁡⁣⁠𝅸⁡⁢‍𝅺⁢⁢⁢𝅴⁢𝅳⁢⁢⁢‍⁢⁢⁢⁡⁢⁢‍‍⁡𝅸 Enterprise integration

Automatically provision and (most importantly) deprovision DatoCMS users using your centralized Azure account⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺⁢𝅸⁡⁢‍𝅹⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍𝅺⁠⁣𝅴⁡⁣𝅺⁡‍‍𝅺𝅴⁡⁣⁠𝅸⁠𝅺⁡⁣⁡𝅴⁡​⁠⁡⁢‍𝅺⁢𝅳⁢‌⁢​⁢𝅴⁢‌⁢⁠‍𝅺𝅴⁡⁣⁠𝅸⁡⁢‍𝅺⁢⁢⁢𝅴⁢𝅳⁢⁢⁢‍⁢⁢⁢⁡⁢⁢‍‍⁡𝅸

Automatic user provisioning is supported for the DatoCMS application.⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺⁢𝅸⁡⁢‍𝅹⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍𝅺⁠⁣𝅴⁡⁣𝅺⁡‍‍𝅺𝅴⁡⁣⁠𝅸⁠𝅺⁡⁣⁡𝅴⁡​⁠⁡⁢‍𝅺⁢𝅳⁢‌⁢​⁢𝅴⁢‌⁢⁠‍𝅺𝅴⁡⁣⁠𝅸⁡⁢‍𝅺⁢⁢⁢𝅴⁢𝅳⁢⁢⁢‍⁢⁢⁢⁡⁢⁢‍‍⁡𝅸

This enables Microsoft Azure Active Directory to:

  • Add new users to DatoCMS

  • Update users’ profile information in DatoCMS

  • Deactivate users in DatoCMS

  • Push groups and memberships to DatoCMS

Features

The following provisioning features are supported:

  • Create User - Creating a new user in Azure AD and assigning them to the DatoCMS application will create a new user in DatoCMS.

  • Update User Attributes - Updates to a user in Azure AD will be pushed to DatoCMS.

  • Deactivate Users - Deactivating the user or disabling the user's access to DatoCMS within Azure AD will deactivate the user in DatoCMS.

  • Reactivate Users - User accounts can be reactivated from Azure AD.

  • Push Groups - Groups created in Azure AD can be pushed to DatoCMS. Attributes pushed include name and group members.

  • Delete Groups - Groups deleted or removed from the DatoCMS application within Azure AD will be deleted within DatoCMS.

Prerequisites

  • Single Sign-On is only available for Enterprise plans.

Configuration Steps

Inside your Microsoft Azure dashboard search for Azure Active Directory and enter the service:

Enter the Enterprise Applications section, then click the New Application button:

Select Non-gallery application:

Name your application DatoCMS and click the Add button:

Enter the Single Sign-On section:

Select SAML as single sign-on method:

Now click the small Edit button in the Basic SAML Configuration box:

Fill in the following information:

  • Identifier (Entity ID): https://sso.datocms.com/<YOUR_SAML_TOKEN>/saml/metadata

  • Reply URL (Assertion Consumer Service URL): https://sso.datocms.com/<YOUR_SAML_TOKEN>/saml/consume

  • Sign on URL (optional): https://sso.datocms.com/<YOUR_PROJECT_ID>/saml/init

Make sure to replace <YOUR_SAML_TOKEN> with the SAML Token present in the Settings > Single Sign-On > Settings section of your DatoCMS project:

Now move into the Provisioning section, and click the Get started button:

Within the Settings > Single Sign-On > Settings section of your DatoCMS project, click the SCIM Settings > API Token button:

Copy the resulting API token:

Fill in the following information:

  • Provisioning Mode: Automatic

  • Tenant URL: https://sso.datocms.com/scim

  • Secret token: use the API token we generated in the previous step

Then click the Save button:

Go back to the Single Sign-On section, and copy the App Federation Metadata Url...

...and paste it into the DatoCMS Identity Provider SAML Metadata URL field:

Make sure to also specify the default role editors will be assigned to (learn more about this field in the "Mapping Azure AD groups to DatoCMS roles" section below):

Press the Save settings button in DatoCMS.

Mapping Azure AD groups to DatoCMS roles

In the Groups section in DatoCMS, you can now assign a specific role to each Group. For each group, assign the role with the same name:

Once you've configured a role for every group, the following rules will apply:

  • The group's role will be applied to to every user belonging to it;

  • In case a user belongs to multiple groups, the first group in the list will be the one to win. You reorder groups with drag&drop to customize their priorities;

In case a user does not belong to any group, the default role specified in the SSO Settings will be used:

SAML User Attributes & Claims

DatoCMS recognizes the following claims for users (any other claim will be ignored):

Attribute Mapping

DatoCMS recognizes the following attributes for users (any other attribute will be ignored):

Support and Troubleshooting

For any issues, please contact our support to get customized help.

Azure Active Directory⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺⁢𝅸⁡⁢‍𝅹⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍𝅺⁠⁣𝅴⁡⁣𝅺⁡‍‍𝅺𝅴⁡⁣⁠𝅸⁠𝅺⁡⁣⁡𝅴⁡​⁠⁡⁢‍𝅺⁢𝅳⁢‌⁢​⁢𝅴⁢‌⁢⁠‍𝅺𝅴⁡⁣⁠𝅸⁡⁢‍𝅺⁢⁢⁢𝅴⁢𝅳⁢⁢⁢‍⁢⁢⁢⁡⁢⁢‍‍⁡𝅸
Provision/deprovision users using your Microsoft Azure AD account⁡𝅶‍‍𝅺⁡‍𝅴⁡𝅴𝅹‍‍⁢𝅵‍‍⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍‍‍𝅷‍‍𝅳⁡‍⁠‍‍⁢𝅵‍‍𝅳⁡⁣⁡⁣⁡​⁡⁢⁢𝅵‍𝅺‍𝅺⁢𝅸⁡⁢‍𝅹⁣‌⁡⁣𝅺⁢𝅸⁡⁢‍𝅹⁢𝅺𝅸‍𝅺⁠⁣𝅴⁡⁣𝅺⁡‍‍𝅺𝅴⁡⁣⁠𝅸⁠𝅺⁡⁣⁡𝅴⁡​⁠⁡⁢‍𝅺⁢𝅳⁢‌⁢​⁢𝅴⁢‌⁢⁠‍𝅺𝅴⁡⁣⁠𝅸⁡⁢‍𝅺⁢⁢⁢𝅴⁢𝅳⁢⁢⁢‍⁢⁢⁢⁡⁢⁢‍‍⁡𝅸
Publisher
Author gravatarDatoCMS