Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Entitlement in another endpoint for SSO access

Go to solution
ArW
New Contributor II
New Contributor II

‎09/06/2024 04:01 AM

Hello,

We use Azure as a single IDP and all application use SAML Federation with Azure to manage our authentication.


Therefore, to be granted access to an application, for instance Slack, a user in Saviynt will need both the Slack entitlement (for exemple an Admin role) and an Azure entitlement corresponding to the Azure application providing the federation to Slack.

We do not want our end users to have to request the Azure entitlements manually so we plan to use entitlement maps to automatically provision and deprovision access to the Azure application:

For instance, say we have two entitlements for Slack, User & Admin
For both entitlements we can add an entitlement map to the Slack Azure application entitlement so that whenever a users request the user or admin role, the slack azure application entitlement will be automatically requested.

However, there is an issue with access removal with this model:
If a user has both the users and admin role, and for some reason we want to remove the admin role,
the entitlement map will also create a remove access task for the slack azure application entitlement: in the end, the user will still have the user role but not the azure entitlement and won't be able to SSO to Slack.

What would be the best solution in this case to avoid this behaviour ?
Is it maybe possible to link an external entitlement to the endpoint/account level so that whenever a user has an account in an endpoint, he is guaranted  to have that entitlement an another endpoint ?

Thanks

Labels:
0 Kudos
6 REPLIES 6

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II

‎09/06/2024 04:07 AM - edited ‎09/06/2024 04:11 AM

@ArW , 

You can use Entitlement with new account for this use case

Amit_Malik_0-1725620725429.png

With the solution you have , you need to maintain entitlement map for all entitlement. But with above , if user is requesting app access for first time , they will added to SSO group with account request (whatever access they request with it)

The issue of removal that you are facing with map will also not occur in this case. This is how we have configured it. For removal , you can use analytics when account is deleted from / removed from target or use rules , when user leaves - remove SSO grps and other accounts and accesses.

 

 

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".
0 Kudos

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎09/06/2024 04:08 AM

Hi @ArW , 2 options

1 you can use entitlement with new account feature .. which will assign access as soon as a person request for an account on that endpoint.

2) disable remove ent checkbox which will not create the task and then remove entitlement via analytics when account gets deleted in slack endpoint.

0 Kudos

Go to solution
ArW
New Contributor II
New Contributor II

‎09/06/2024 04:18 AM

Hello @Amit_Malik @NM 

Thank you for your reply, the entitlement with new account feature seem indeed to match exactly our use case !

I have two questions regarding this feature

  1. I noticed that with entitlements maps, dedicated tasks are created for entitlements in the map. Is this also the case for this feature ? Is a dedicated "Add access" task  created for that entitlement ? 
  2. In the case of already existing accounts, I guess that nothing happens what a new "Entitlement with new account" is set. Is there a way to trigger this on all accounts already existing for this endpoint ?
0 Kudos

Go to solution
Amit_Malik
Valued Contributor II
Valued Contributor II
In response to ArW

‎09/06/2024 04:31 AM

  1. I noticed that with entitlements maps, dedicated tasks are created for entitlements in the map. Is this also the case for this feature ? Is a dedicated "Add access" task  created for that entitlement ? Yes
  2. In the case of already existing accounts, I guess that nothing happens what a new "Entitlement with new account" is set. Is there a way to trigger this on all accounts already existing for this endpoint ?Yes, via Analytics. Get all accounts --> How many not having SSO grp --> create add access task

Below links have sample queries on creating add access task via analytics

https://docs.saviyntcloud.com/bundle/KBAs/page/Content/Provisioning-or-deprovisioning-assignments-fr...

https://forums.saviynt.com/t5/identity-governance/add-access-actionable-analytics/m-p/66629#M41590

Kind Regards,
Amit Malik
If this helped you move forward, please click on the "Kudos" button.
If this answers your query, please select "Accept As Solution".

Go to solution
NM
Honored Contributor II
Honored Contributor II

‎09/06/2024 04:20 AM

@ArW ,

Yes same case with entitlement with new account it will create a add access task

2)for existing user you can run a one time analytics which will add all the users in the group via add access task.

0 Kudos

Go to solution
ArW
New Contributor II
New Contributor II

‎09/06/2024 04:28 AM

Ok thanks a lot for your reply !

0 Kudos
Copyright © 2024 Khoros, LLC