Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Entitlement in another endpoint for SSO access

ArW
New Contributor III
New Contributor III

Hello,

We use Azure as a single IDP and all application use SAML Federation with Azure to manage our authentication.


Therefore, to be granted access to an application, for instance Slack, a user in Saviynt will need both the Slack entitlement (for exemple an Admin role) and an Azure entitlement corresponding to the Azure application providing the federation to Slack.

We do not want our end users to have to request the Azure entitlements manually so we plan to use entitlement maps to automatically provision and deprovision access to the Azure application:

For instance, say we have two entitlements for Slack, User & Admin
For both entitlements we can add an entitlement map to the Slack Azure application entitlement so that whenever a users request the user or admin role, the slack azure application entitlement will be automatically requested.

However, there is an issue with access removal with this model:
If a user has both the users and admin role, and for some reason we want to remove the admin role,
the entitlement map will also create a remove access task for the slack azure application entitlement: in the end, the user will still have the user role but not the azure entitlement and won't be able to SSO to Slack.

What would be the best solution in this case to avoid this behaviour ?
Is it maybe possible to link an external entitlement to the endpoint/account level so that whenever a user has an account in an endpoint, he is guaranted  to have that entitlement an another endpoint ?

Thanks

6 REPLIES 6

Amit_Malik
Valued Contributor II
Valued Contributor II

@ArW , 

You can use Entitlement with new account for this use case

Amit_Malik_0-1725620725429.png

With the solution you have , you need to maintain entitlement map for all entitlement. But with above , if user is requesting app access for first time , they will added to SSO group with account request (whatever access they request with it)

The issue of removal that you are facing with map will also not occur in this case. This is how we have configured it. For removal , you can use analytics when account is deleted from / removed from target or use rules , when user leaves - remove SSO grps and other accounts and accesses.

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

NM
Honored Contributor II
Honored Contributor II

Hi @ArW , 2 options

1 you can use entitlement with new account feature .. which will assign access as soon as a person request for an account on that endpoint.

2) disable remove ent checkbox which will not create the task and then remove entitlement via analytics when account gets deleted in slack endpoint.

ArW
New Contributor III
New Contributor III

Hello @Amit_Malik @NM 

Thank you for your reply, the entitlement with new account feature seem indeed to match exactly our use case !

I have two questions regarding this feature

  1. I noticed that with entitlements maps, dedicated tasks are created for entitlements in the map. Is this also the case for this feature ? Is a dedicated "Add access" task  created for that entitlement ? 
  2. In the case of already existing accounts, I guess that nothing happens what a new "Entitlement with new account" is set. Is there a way to trigger this on all accounts already existing for this endpoint ?

Amit_Malik
Valued Contributor II
Valued Contributor II
  1. I noticed that with entitlements maps, dedicated tasks are created for entitlements in the map. Is this also the case for this feature ? Is a dedicated "Add access" task  created for that entitlement ? Yes
  2. In the case of already existing accounts, I guess that nothing happens what a new "Entitlement with new account" is set. Is there a way to trigger this on all accounts already existing for this endpoint ?Yes, via Analytics. Get all accounts --> How many not having SSO grp --> create add access task

Below links have sample queries on creating add access task via analytics

https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Provisioning-or-deprovisioning-assignments-fr...

https://forums.saviynt.com/t5/identity-governance/add-access-actionable-analytics/m-p/66629#M41590

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

NM
Honored Contributor II
Honored Contributor II

@ArW ,

Yes same case with entitlement with new account it will create a add access task

2)for existing user you can run a one time analytics which will add all the users in the group via add access task.

ArW
New Contributor III
New Contributor III

Ok thanks a lot for your reply !