Changing user settings
The Account Settings page allows you to manage your Reblaze user accounts.
From this tab, you can reset your password, name, and phone number.
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
If only an email address is provided, the OTP will be sent via email.
If a phone number is provided, the OTP will be sent over SMS message.
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
An admin can:
Create a new user
Edit an existing user
Reset a user's password
Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
Viewer: can see the Traffic section, i.e. the Dashboard and View Log.
Organization Admin: has all Editor permissions, and can also manage users via the Users Management page.
Reblaze Admin: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their Okta or Microsoft accounts.
Configuration options will vary depending on the type of account.
Go to https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active
Click Add Application
→ Create New App
Choose Platform: Web
, Sign on method: SAML 2.0
Single sign on URL:
RBZ_SSO_ASSERTION_URL
env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/signon
.
Audience URI (SP Entity ID):
RBZ_SSO_AUDIENCE_URL
env var. Value should look like: https://{CUSTOMER_DOMAIN}/sso/saml20/audience
Attribute Statements:
emailaddress: user.email
displayname: user.firstName + " " + user.lastName
groups: appuser.rbzgroups
In order to pass Admin group ID we need to add custom attribute to the user groups. Directory > Profile Editor > Apps > Click on Profile
Next step will be to map it.
Directory > Profile Editor > Apps > Click on Mappings
4. Assign the application to users
Create user groups for two possible access levels: Admin and Read-Only access.
Assign users to it. Group name is the string you need for RBZSSOSAML2_ADMINGROUP
or place the group name into the Reblaze console SSO settings.
And in your just-created Application settings:
On the assignment step, a value will be required for the custom attribute which we configured before. For the admin group the value will be same as on RBZSSOSAML2_ADMINGROUP
, while for the read-only group value it can be anything else.
Add the URL to the XML metadata file to the RBZ_SSO_META_URL
env var (and/or for Provider URL field in admin)
The URL example: https://vreagles.okta.com/app/exkl1t3p61ek810CP5d6/sso/saml/metadata
RBZ_SSO_IDP_ISSUER
:Go to Applications, choose yours, Sign On
tab, click on View Setup Instructions
There you'll find Identity Provider Issuer:
1. Go to Azure Portal → Enterprise applications
2. Choose + New Application
→ + Create your own application
:
3. Choose option Integrate any other application you don't find in the gallery (Non-gallery)
(this option will create SSO app):
4. Go to Single sign-on
section and choose SAML
:
5. Set up appropriate links:
RBZ_SSO_IDP_ISSUER
should be provided by a customer and have to be unique for the customer’s SSO applications. The best option is to just use something like: https://customer_domain.com?sso=123
. (the IDP Issuer field (in the console) should be identical to the Identifier field (in Azure))
6. Get Metadata XML link and add to RBZ_SSO_META_URL
environment variable:
7. Setup user.groups
in User Attributes & Claims, so it send all groups related to the user:
Click on “+ Add a group claim”, choose:
All groups
Source attribute: Group ID
8. Add a user as a member of the application:
9. Get admin group ID from Azure and put it into RBZ_SSO_ADMIN_GROUP
environment variable:
Go to Azure Active Directory
→ Groups
, create a group.
Object ID
is the string you need for RBZ_SSO_ADMIN_GROUP
or place the group ID into the Reblaze console SSO settings:
And assign a user to the group: