Custom Identity Provider
Template for pushing IdP domain, user, and group metadata
Use this template to model authorization metadata for custom identity providers using the Open Authorization API.
This document includes an example template and notes for designing and publishing a model of your IdP
A custom property definition can define additional properties to add additional metadata to entities in the payload.
Veza will handle federated identities just as those in supported IdPs such as Okta or Azure AD, enabling search and access review for OAA entities alongside the rest of your data catalog.
Sample Template and Features
The metadata payload describes the Identity Provider domain, users, and groups to add to the Veza authorization graph:
Modeling assumable Amazon Web Services roles
For cases where federated IdP entities are granted AWS permissions via IAM roles, the template supports defining assumable roles per-user. Binding a custom IdP user or group to an AWS role or group ARN enables Veza to parse and display the resource-level actions permitted within AWS.
Custom IdP users and groups can be assigned permissions in other OAA applications by setting the principal type
to idp
in identity_to_permissions
in the custom application payload.
Source Identity Assignments
For use cases where a custom IdP is federated with another identity provider user identities can be linked between the two. Authorizations granted to the user will also be granted the source identity. The link is created by providing the unique identity ID and provider type as part of the user entry.
For provider_type
the following values are accepted:
Provider |
|
Active Directory |
|
Any |
|
AzureAD |
|
OAA |
|
Google Workspace |
|
Okta |
|
One Login |
|
Resource manager assignments
New in Veza release
2022.2.1
To assign an IdP user or group as the manager of any resource Veza has discovered, list the node type and node id in the entities_owned
field, for example:
When parsing the payload, resources in the data catalog will be updated with a SYSTEM_resource_managers
tag to enable entitlement reviews. The owner(s) will be suggested as reviewers for Veza Workflows that target an individual named resource with the correct tag.
Manager assignments
New in Veza release
2022.2.1
Users and groups can be mapped to the identity
of another user they report to. When configured, the manager will be suggested as a review for Workflow certifications where the assigned reporter is the single query target "named entity."
Custom Properties and Tags
Custom Properties are the recommended method for adding additional metadata to custom identities and resources.
Additionally, Veza tags can be applied to the IdP domain, users, and groups:
Use incremental updates to remove tags: Resubmitting a payload with different tags will apply any new tags, but not remove existing ones. To remove a tag already applied to an entity, you will need to use the incremental update remove_tag
operation.
Incremental Updates
After the initial metadata push (which must contain the full payload), you can modify, add, or remove the domain, users, and groups without resubmitting other entities. An incremental update is enabled by setting "incremental_change": true
in the json_data
push payload, and specifying the update operation
for each entity to change.
Custom Identity Provider
definition
Custom Identity Provider
definitionThe identity provider object models one instance of the custom IdP:
Field | Type | Description |
---|---|---|
| string | Name to associate with the provider in Veza. |
| Defines the key and types for properties that can be applied to other objects in the push payload | |
| string | Type descriptor for IdP, can be unique or share across multiple IdP (for example |
| string | Any notes to add as entity details (optional) |
| Domain model | |
| Dictionary of CustomIdPUser class instances | |
| Dictionary of CustomIdPGroup class instances | |
| boolean | When |
IdP Domain
IdP Domain
One domain is supported for each custom IdP. Users and groups are mapped to the IdP domain, and connected in Veza Search:
Field | Type | Description |
---|---|---|
| string | IdP Domain name |
| Each element of the push payload can have | |
| Dynamic Properties | Up to 5 attributes to apply to the domain (deprecated, use custom properties instead) |
| Veza Tags list | Any tags to create and apply to the domain. |
| enum | For incremental updates, the operation to use. |
IdP Users
IdP Users
Each IdP user object contains the display name, login email, and identity, along with other identity-related properties:
Field | Type | Description |
---|---|---|
| string | Primary ID for user |
| string | Optional email for user |
| string | Optional unique identifier for user |
| string list | Assign groups memberships by group |
| string | Full name to display in Veza |
| string list | Any departments to apply as a searchable property (optional). |
| boolean | If available, will be applied to the entity as a searchable property (optional). |
| boolean | If available, will be applied to the entity as a searchable property (optional). |
| array | AWS IAM roles that can be assumed by the IdP user, in the format |
| Veza Tags list | Any tags to create and apply to the user. |
| Dynamic Properties | Up to 5 attributes to apply to the user (deprecated, use custom properties instead) |
| Each element of the push payload can have | |
| string | If the same as another user's |
| Entities Owned array | If another resource is specified by entity type and entity id, a Veza tag will be created on the resource to indicate the owner. |
| enum | For incremental updates, the operation to use (optional). |
| Optionally link IdP user to user from another IdP for federation use cases. |
IdP Groups
IdP Groups
Add a group by name
in the groups
section of the template to enable mapping IdP users
to those groups:
Field | Type | Description |
---|---|---|
| string | IdP group name. |
| string | Unique ID used for user-group assignments. |
| string | Optional display name for group |
| string list | other custom IdP groups this group is a member of |
| boolean | Sets the |
| Veza Tags list | Any tags to create and apply to the group. |
| Each element of the push payload can have | |
| Dynamic Properties | Up to 5 attributes to apply to the domain. (deprecated, use custom properties instead) |
| enum | For incremental updates, the operation to use (optional). |
| array | AWS IAM roles the group can assume, in the format |
IdP entities can be granted permissions on custom applications in the
identity_to_permissions
section of the custom app metadata payload.
Adding a new custom identity provider
The steps to add a custom IdP are the same as for any other OAA provider: you will need to register the new provider and data source, and then push the domain, user, and group descriptions in a JSON payload.
1. Register a custom identity provider
To create a new custom provider using the identity_provider
template, POST the name and template type to /providers/custom:
The response will return the custom IdP ID, which you will need when pushing the metadata payload:
2. Push a data source for the custom identity provider
Note that the provider id is required in both the path and body of the request. The response will include the new data source ID.
3. Push metadata for the data source
The payload file must contain the provider and data source ID, and the authorization metadata as a single string, for example:
Last updated