Configuring a Global Identity Provider
Integrating with an Identity Provider enables single sign on and auto-assignment for Access Reviews.
Last updated
Was this helpful?
Integrating with an Identity Provider enables single sign on and auto-assignment for Access Reviews.
Last updated
Was this helpful?
Was this helpful?
For organizations with many users and access reviewers, enabling a global Identity Provider (IdP) eliminates the need to manually specify additional reviewers by email, or create additional Veza user accounts for reviewers. When enabled:
Administrators and Operators can create reviews and assign reviews for any IdP user in a domain.
Any IdP user able to log in to Veza with single sign-on (SSO) can authenticate without the need to provision an account beforehand. See Sign-In Settings to enable SSO.
Entity Owners and Resource Manager Tags can be auto-assigned as reviewers.
Alternate Manager Lookup can be used to assign reviews when you have multiple sources of employee records (e.g., contractors in one system, managers in another).
Typically, Veza support will make the API calls required to customize global IdP settings. See the following sections for prerequisites and the request format.
The authorization graph must contain entities for an integrated provider data source. See the integration guides for:
Use Query Builder to search for a user from your identity provider, and retrieve the provider’s datasource_id.
Single Sign-On should be enabled to allow external users to log in to Veza.
Veza support will supply an auth_provider_id for the Veza SSO connection.
PUT workflows/access/global_settings/idp_settings
Enable Veza to suggest reviewers from the graph, by specifying the SSO auth provider id and the identity provider data source instance id:
"value": {
"enabled": true,
"idp": {
"auth_provider_id": "cf9bab40-4e48-4afc-a310-acfdad416233",
"user_type": "OktaUser",
"instance_id": "dev-5150036.okta.com",
"user_identity_property": "idp_unique_id",
"instance_id_property": "datasource_id",
"manager_identity_property": "manager_idp_unique_id"
}
}enabled
Set true to enable the provider as a Global IdP.
auth_provider_id
Internal UID for the single sign-on provider instance.
user_type
Graph entity type to search for users, such as CustomIDPUser or OktaUser.
instance_id
The UID for a provider in the data catalog.
user_identity_property
Unique entity property used to identify the IdP, typically idp_unique_id.
instance_id_property
The user entity property used to identify the IdP instance (e.g. instance_id).
manager_identity_property
The user entity property used to identify the manager.
active_user_conditions
Filter string for identifying inactive users e.g. {"fn": "EQ", "property": "is_active", "value": true}
`user_identity_property` should be a globally unique value. Setting this to a name or email should be avoided as a best practice.
Notes:
auth_provider_id identifies users with entries in the local user database and will also map correlated graph entities.
There can be several instances of an identity provider for a given user_type.
instance_id ensures the user info is pulled from the correct instance and domain.
Veza will populate the user list by searching for nodes of type user_type with instance_id_property equal to instance_id.
Setting "instance_id_property": "datasource_id" will typically achieve the correct behavior.
Okta:
{
"value": {
"enabled": true,
"idp": {
"auth_provider_id": "x",
"user_type": "OktaUser",
"instance_id": "dev-5150036.okta.com",
"user_identity_property": "idp_unique_id",
"instance_id_property": "datasource_id",
"manager_identity_property": "manager_idp_unique_id"
}
}
}Microsoft Azure AD:
{
"value": {
"enabled": true,
"idp": {
"auth_provider_id": "x",
"user_type": "AzureADUser",
"instance_id": "d5d23474-d857-4e12-bf68-75d638867e93",
"user_identity_property": "idp_unique_id",
"instance_id_property": "datasource_id",
"manager_identity_property": "manager_idp_unique_id"
}
}
}Custom Identity Provider:
{
"value": {
"enabled": true,
"idp": {
"auth_provider_id": "cf9bab40-4e48-4afc-a310-acfdad416233",
"user_type": "CustomIDPUser",
"instance_id": "aa650cf7-2370-406e-bb35-1a8e14b92919",
"user_identity_property": "idp_unique_id",
"instance_id_property": "datasource_id",
"manager_identity_property": "manager_idp_unique_id"
}
}
}You can confirm changes are working as intended by starting a review and selecting reviewers:
If the user_type, instance_id, and instance_id_property are correct, identities from the graph will appear in the suggestions.
If auth_provider_id is correct, SSO users should only appear once in the scenario above. The local user entry is filtered from the list. Only the user record from the graph entity will appear.