Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry. Saviynt Copilot Icon
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to control SSO PingID oneaccount using AD groups

NidhiSingh
New Contributor III
New Contributor III

‎08/20/2024 05:52 AM

We have integrated Saviynt with PingID OneAccount for SSO implementation, using two approaches- one for Admin another for non-admin users. List of Admin users are put into AD groups for authentication.  We are assigning ROLE_ADMIN SAV Role for Admin users, if new user comes in and they are assigned ROLE_ADMIN SAV Role in Saviynt, how to control SSO for the Admin user AD groups. 

Labels:
0 Kudos
5 REPLIES 5

rushikeshvartak
All-Star
All-Star

‎08/20/2024 05:53 AM

You can use ROLE_USER sav role for end users.


Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

NidhiSingh
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/20/2024 06:24 AM

End users are not being assigned to AD group, the Admin users on the other hand are assigned with a AD group "ADMINS". Whenever SSO authentication happens, the user having ROLE_ADMIN SAV Role should be validated against Admins AD group. If any user is not part of this AD group but having ROLE_ADMIN SAV Role in Saviynt, then SSO should not work. Is there any correlation attribute can be used to store the AD group in Saviynt.

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to NidhiSingh

‎08/20/2024 06:32 AM

  • SSO will not check correlation in saviynt. it will validate if user is part of particular SSO authorization group or not.

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos

NidhiSingh
New Contributor III
New Contributor III
In response to rushikeshvartak

‎08/20/2024 06:44 AM

If user is not part of SSO auth group then it will be considered as non admin and user can access Saviynt with ROLE_ADMIN role without any issues.. This is deviating from the design of Admin users.
Is there any way we can restrict the users accessing Saviynt with ROLE_ADMIN + SSO Group member in AD?

0 Kudos

rushikeshvartak
All-Star
All-Star
In response to NidhiSingh

‎08/20/2024 06:46 AM

  • You can't have paramutations 

Regards,
Rushikesh Vartak
If this helped you move forward, click 'Kudos'. If it solved your query, select 'Accept As Solution'.
0 Kudos
Copyright © 2024 Khoros, LLC