Just In-Time User Provisioning (Authentication Server Support)

Summary, FAQ, and Configuration Information About the InsightCloudSec Just In-Time User Provisioning Capabilities

🚧

Database Backup

As with all significant platform changes we recommend that you back up your database before implementing JIT User Provisioning. If you have questions or concerns reach out to us via the Customer Support Portal.

Feature Summary

InsightCloudSec is pleased to offer support for authentication server synchronizations, or a feature we're calling Just In Time User Provisioning (JIT). InsightCloudSec JIT provides the capability to synchronize users and groups from an external Identity Provider (IDP) authentication server such as Okta, LDAP, Ping, and Microsoft's Active Directory. When an authentication server is configured in InsightCloudSec, a scheduled sync job runs once an hour and updates can be applied at user login for SAML authentication servers.

This feature, combined with the group-based entitlements feature, enables InsightCloudSec Admins to manage InsightCloudSec user access from their identity provider without the need to make additional updates for users in InsightCloudSec.

How Does it Work

InsightCloudSec groups are mapped to corresponding groups from the authentication server. InsightCloudSec synchronizes the memberships in its mapped groups to those on the authentication server.

  • If a user in an authentication server group is not present in InsightCloudSec, that user is created.
  • If an existing SAML InsightCloudSec user is no longer in any of the mapped groups in the authentication server, that user is deactivated in InsightCloudSec (but can be reactivated if that user returns to a mapped group later).
  • InsightCloudSec’s mappings include authentication server groups to specify Domain Admin and Organization Admin users. An example of group mappings is shown below.
    • Note: Domain Admin and Organization Admin users are not available under User groups as they are system generated and cannot be modified.

📘

Editing Domain Admin Mappings

Only Domain Admins can edit Domain Admin group mappings.

19921992

Example Group Mappings

Prerequisites

📘

Value Names (DivvyCloud vs. InsightCloudSec

Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Before getting started with InsightCloudSec's authentication server support using JIT you should have the following:

  • A functioning InsightCloudSec platform
  • Admin permissions for your authentication server
  • Note: Only Domain Admins (in InsightCloudSec) can edit Domain Admin group mappings

Supported Implementations

At present JIT is available for:

Supported Options

Within this documentation for LDAP and SAML we use Okta configurations as an example.

  • For specific details on Okta we recommend you refer to their documentation.
  • For other providers, we recommend you refer to the specific provider's configuration documentation.

As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to us through the Customer Support Portal.

Configuration Considerations

Entitlements

You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in InsightCloudSec will create groups with users that have NO associated permissions.

  • Take a look at our documentation around Basic User Groups, Roles, & Entitlements, and our User Entitlements Matrix if you still need to prepare these configurations.
  • The warning shown below is included in our details steps for the various configuration methods to remind you of the potential issues around the creation of Group Mappings without entitlements.

❗️

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Basic User Groups, Roles, & Entitlements or the User Entitlements Matrix for details.

Scheduled Updates

In InsightCloudSec, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and InsightCloudSec’s users and group associations are updated to match.

Credentials

Note: A credential to the authentication server is required to perform the scheduled updates.

  • For Okta, this is implemented using a read-only API key.
  • For LDAP, InsightCloudSec uses the credentials of a user with directory-read privileges.

FAQ

Note if your issue or concern is not included here or you need assistance with this feature reach out to us through the Customer Support Portal.

What happens if an existing InsightCloudSec user is moved out of all mapped groups?

InsightCloudSec users are marked inactive if they no longer have membership in any mapped groups. The user is reactivated if added to a mapped group later.

What happens if a new user is included in a mapped group in the authentication server?

InsightCloudSec creates a user and places this user in the appropriate mapped group(s). Sync hourly job will create the User in next run. To manually sync, click the actions menu and select "Synchronize Users" by going to Authentication server setting in InsightCloudSec.

What happens if a user is included in multiple mapped groups?

Admin groups are treated differently than basic user groups. A summary of how group mappings are handled is below.

  • If a user is in a Domain Admin group, the user will not be placed in Organization Admin group or any basic user groups in InsightCloudSec, regardless of membership in these groups on the authorization server
    • Note that if a user is in both Organization and Domain Admin groups, the user will be a Domain Admin (only) in InsightCloudSec
  • Users who are not Domain Admins (e.g. an Org Admin) can be members of multiple basic user groups.

What happens if a user is not included in any mapped groups?
If a existing user is not mapped to any groups, they are marked as "disabled" within InsightCloudSec. Disabled users will do not appear in typical administrative displays (e.g. under "Identity Management --> Users").

User names are unique, so if a disabled user attempts login:

  • It won't work and;
  • An administrator will not be able to recreate them with the same name

In this case, return to Okta to ensure they're properly configured (add them to the appropriate group) and their credentials will sync through the appropriate mapping (e.g. LDAP or SAML).

  • You can force a sync by revisiting the Actions menu for the applicable server once any configuration issues have been resolved.

What happens to deleted users?
As of 22.3.0 InsightCloudSec retains deleted users so that it is possible to reconstruct which users took which actions when examining the API activity. This makes it possible to restore deleted users as active users and preserves the ability to examine users in API activity whether active or deleted.

Can I migrate an existing local user to an SSO provider to avoid having to delete/recreate the user?
Yes. Under the user and admin actions menu, you can select "Change authentication server" to view a drop-down of available providers to select.

Note: Transitioning to "LOCAL" is not supported.

What are the pros and cons of scheduled sync and sync-at-login?
Note: this is only an option for SAML.

Scheduled sync and sync-at-login can be used independently or together, depending on your requirements and the availability of authentication server credentials.

Scheduled Sync Pros:

  • Keeps InsightCloudSec fully synced with the authentication server
    • Including deactivation of users who no longer have access to InsightCloudSec (which is helpful for audit around account users that have left)

Scheduled Sync Cons

  • Updates on the authentication server side can take up to an hour to propagate to InsightCloudSec
    • InsightCloudSec Admin has an option to initiate an on-demand sync.
  • Requires the InsightCloudSec Admin to provide an authentication server credential for InsightCloudSec to use when fetching updates from the authentication server

Sync-at-login Pros:

  • Users see effects of authentication servers immediately when they log in
  • Does not require authentication server credentials
  • With some SAML providers, will not require any extra configs on SAML provider side

Sync-at-login Cons:

  • Authentication server updates are not propagated to InsightCloudSec unless a user logs in
  • May require configuration for SAML provider to put required attributes in SAML assertions

What happens to existing InsightCloudSec user login sessions if the sync changes user entitlements?

For scheduled synchronizations, all of a user’s sessions are terminated if:

  • A user loses all access to InsightCloudSec as a result of the update, or
  • The user has a decrease in admin privileges

For sync-at-login, all existing user sessions are terminated if:

  • Any changes are made to the user’s group memberships. Since the user is in the act of logging in, and will get the up-to-date permissions, the UX impact of removing other sessions for the user is minimal.