Setting up your identity provider

After signing in for the first time with your EDB account, you can either use the BigAnimal portal as your identity provider or set up your own.

Note

If you purchased through Azure Marketplace, BigAnimal authenticates users using Azure Active Directory (AD) and you don't have to complete these steps. Azure AD is linked during subscription. Also, you can still invite users that have an EDB account through the BigAnimal portal.

When using your own identity provider, you add users to BigAnimal by adding them to the designated group in your identity provider. Once you've logged into BigAnimal using your own identity provider, you can set up your cloud service provider in the BigAnimal portal to complete onboarding.

If you're using the BigAnimal portal as your identity provider, you can also invite users that have an EDB account by selecting Invite New User on the Users page. After providing their EDB account email and their role, you can send them an invitation link. For more information on roles, see Managing portal access.

Setting up your own identity provider

BigAnimal supports single sign-on through SAML identity providers. The SAML application enables access to BigAnimal for groups selected in your identity provider. You configure your SAML application to send a SAML assertion response to BigAnimal for each user.

The identity provider application provides:

  • Signature certificate
  • Single sign-on URL (Sign In Endpoint)

The BigAnimal service provider provides:

  • ACS URL (Assertion Consumer Service)
  • SP Entity ID (Audience URI)

The Set Up Identity Provider page in BigAnimal provides the ACS URL and Audience URI, which you can copy to use when configuring your SAML application. The page also includes information about mandatory attributes for the configuration.

You need the following SAML assertions to map the user information in your identity provider application to BigAnimal:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Configure SAML

On the Set Up Identity Provider page:

  1. In the Connection Info section, copy the following URLs to use in your identity provider configuration:

    URLDescription
    Assertion Consumer Service URLBigAnimal-specific URL to which SAML assertions from your identity provider are sent
    Audience URIThe entity or audience for which the SAML assertion is intended
  2. In the Configure SAML response section, configure your identity provider to send the SAML response. The SAML response must include the following attributes:

    • givenname BigAnimal uses the value as the given name in the profile of the authenticated user.
    • surname BigAnimal uses the value as the surname in the profile of the authenticated user.
    • name BigAnimal uses the value as the full name (givenname joined with surname) in the profile of the authenticated user.
    • emailaddress BigAnimal uses the value for the email address in the profile of the authenticated user.

    Provide a NameID element in the Subject element. Provide your email ID as the value to NameID. BigAnimal uses the email ID you provide as your username and primary email, so format NameID like an email address.

    For example:

    nameID

  3. In the SAML settings section, enter the configuration information for your preferred SAML identity provider:

    FieldDescription
    Single Sign-On URLThe identity provider's sign-on URL.
    Identity Provider Signature CertificateIdentity provider's assertion signing certificate (.cer or .cert). Coordinate with your identity provider partner to obtain this certificate securely.
    Request BindingSAML Authentication Request Protocol binding used to send the authentication request: HTTP-Redirect, HTTP-Post, or Hybrid (SAML request is REDIRECT and response is POST).
    Response Signature Algorithm (RSA) AlgorithmThe signature algorithm used to sign the SAML AuthNRequest (RSA SHA-1 or RSA SHA-256).
  4. Select Test Connection. If you connect to your identity provider successfully, your identity provider's login screen appears. If an error message appears, contact Support.

Once your identity provider is set up, you can view your connection status, ID, login URL, audience URI, and assertion consumer service URL from the BigAnimal portal on the Identity Provider page. Select Admin > Identity Provider to access it.

Add a domain

You need a verified domain so your users can have a streamlined login experience with their email address.

  1. On the Domains tab, enter the domain name and select Next: Verify Domain.

  2. Copy the TXT record and follow the instructions.

  3. Select Done.

    Your domain and its status appear on the Domains tab, where you can delete or verify it. Domains can take up to 48 hours to be verified.

To add another domain, select Add Domain.

When you have at least one verified domain, the identity provider status becomes Active on the Identity Providers tab. When the domain is no longer verified, the status becomes Inactive.

Note

The identity provider status can take up to three minutes to update.

Manage roles for added users

You add users through your identity provider. A user who you add in the identity provider is automatically added to BigAnimal. BigAnimal assigns them with the default role of organization member. You manage roles and permissions from BigAnimal. See Managing portal access.

Note

A user is created in BigAnimal only after they log in. After they log in, you can change their BigAnimal role.

Add a tile

Once you establish the identity provider, you can create a BigAnimal tile for users to access the organization's BigAnimal application. To do so, copy the quick sign-in URL from the Settings > Identity Provider page of the BigAnimal portal. For details on how to add a tile, refer to your identify provider documentation for instructions on setting up SSO access to your application.

Next steps

You and other users can log in to BigAnimal using your identity provider credentials.

You can rename the default project BigAnimal creates for you. See Editing a project.

You can set up your cloud service provider so that you or other users with the correct permissions can create clusters.

You can assign roles to your default project. See Managing portal access.