Workflows Global IdP Settings
Enabling certification auto-assignment using graph metadata.
By default, operators creating certifications can pick default reviewers for all results from a dropdown menu. These are system users, managed under Administration > User Management. Suggestions will include local accounts for any users that have logged in with single sign-on. After integrating your Identity Provider and enabling it as a Global Identity Provider, this list will include users discovered by Veza who they have not yet logged in.
For organizations with many employees and reviewers, enabling a Global Identity Provider for Access Reviews eliminates the need to manually specify additional reviewers by email, or create additional Veza user accounts for reviewers. When enabled:
Administrators can create workflows and assign certifications for any IdP user in a domain.
Any employee able to log in with SSO can authenticate without the need to provision an account beforehand.
Managers can be auto-assigned as reviewers using tags or graph metadata.
Accounts for SSO users have the Access Reviewer role by default to ensure that visitors will always have the least privileges on first log-in. Reviewers can only access their certifications and assigned results. A Veza administrator must assign any additional permissions.
Updating workflow global identity provider settings
At present, Veza support must make the API call to customize global IdP settings. See the following sections for prerequisites and the request format.
Before you begin
The authorization graph must contain entities for an integrated provider data source:
Veza support will supply an
auth_provider_idfor the Veza SSO connection.Use Query Builder to find a user from the IdP, and retrieve the provider
datasource_id.If not already enabled, set up Single Sign On for the IdP to enable login for the external users.
Update global identity provider settings request
PUT workflows/access/global_settings/idp_settings Configure Workflows to suggest reviewers from the graph db, by specifying the SSO auth provider id and the IdP data source instance id:
| Value to update | Description |
|---|---|
| Set |
| Internal UID for the single sign-on provider instance. |
| Graph entity type to search for users, such as |
| The UID for a provider in the data catalog. |
| Unique entity property used to identity the IdP, typically |
| The user entity property used to identify the IdP instance (e.g. |
| The user entity property used to identify the manager. |
| Filter string for identifying inactive users e.g. |
user_identity_property should be a globally unique value. Setting this to a name or email should be avoided as a best practice.
auth_provider_ididentifies users that have entries in the local user database, and will additionally map to graph entities.There can be several instances of an IdP for a given
user_type.instance_idensures user info is only pulled from the correct instance and IdP domain.Veza will populate the user list by searching for nodes of type
user_typewithinstance_id_propertyequal toinstance_id.Setting
"instance_id_property": "datasource_id"will typically achieve the correct behavior.
Examples
Okta:
AzureAD:
Custom Identity Provider:
Validating the configuration
You can inspect the results of a global identity configuration by starting a new certification and choosing to select reviewers. If the user_type, instance_id, and instance_id_property are correct, identities from the graph db will appear in the suggestions.
If auth_provider_id is correct, a user that logged in with SSO should only be listed once in the scenario above, as the local user entry will be filtered out. Only the user record from the graph db will appear.
Last updated