DivvyCloud

Welcome to the DivvyCloud Docs!

DivvyCloud is a Cloud Security Posture Management (CSPM) platform that provides real-time analysis and automated remediation across leading cloud and container technologies.

For questions about documentation reach out to us [email protected]

Take Me to the Docs!    Release Notes

Just In-Time User Provisioning (Authentication Server Support)

🚧

Database Backup

As with all significant platform changes we recommend that you back up your database before implementing JIT User Provisioning. If you have questions or concerns reach out to us via [email protected].

Overview

Feature Summary

DivvyCloud is pleased to include support for authentication server synchronizations, or a feature we're calling Just In Time User Provisioning (JIT). DivvyCloud JIT provides the capability to synchronize users and groups from an external Identity Provider (IDP) authentication server such as Okta, LDAP, Ping, and Microsoft's Active Directory. When an authentication server is configured in DivvyCloud a scheduled sync job runs once an hour; and updates can be applied at user login for SAML authentication servers.

This feature, combined with the group-based entitlement feature, enables DivvyCloud Admins to manage DivvyCloud user access from their identity provider, without the need to make additional updates for users in DivvyCloud.

How Does it Work

DivvyCloud groups are mapped to corresponding groups from the authentication server. DivvyCloud synchronizes the memberships in its mapped groups to those on the authentication server.

  • If a user in an authentication server group is not present in DivvyCloud, that user is created.
  • If an existing SAML DivvyCloud user is no longer in any of the mapped groups in the authentication server, that user is deactivated in DivvyCloud (but can be reactivated if that user returns to a mapped group later).
  • DivvyCloud’s mappings include authentication server groups to specify Domain Admin and Organization Admin users. An example of group mappings is shown below.
    • Note: Domain Admin and Organization Admin users are not available under User groups as they are system generated and cannot be modified.

Example Group Mappings

Prerequisites

Before getting started with DivvyCloud's authentication server support you should have the following:

  • A functioning DivvyCloud platform
  • Admin permissions for your authentication server
    • At present JIT is only provided for:
      • SAML at user login, through assertions attributes (Any SAML provider)
      • Scheduled updates for SAML with Okta
      • Scheduled updates for LDAP (Any LDAP provider)

📘

Supported Options

Within this documentation we use Okta configurations as an example. For specific details on Okta we recommend you refer to their documentation. For other providers, we recommend you refer to the provider's configuration documentation.

As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to [email protected].

Configuration Considerations

Entitlements

You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in DivvyCloud will create groups with users that have NO associated permissions.

Scheduled Updates

In DivvyCloud, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and DivvyCloud’s users and group associations are updated to match.

Credentials

Note: A credential to the authentication server is required to perform the scheduled updates.

  • For Okta, this is implemented using a read-only API key.
  • For LDAP, DivvyCloud uses the credentials of a user with directory-read privileges.

Existing SAML Users

Users from SAML authentication servers should have a unique username. In cases where a username is already in use by a local DivvyCloud user an administrator may need to update the user accounts in DivvyCloud.

Configuring JIT for LDAP

Okta Setup for LDAP

Refer to the steps below to complete the required configuration setup for LDAP using Okta. You can refer to Okta's documentation on Groups here.

1. Log in to Okta as an administrator.

2. Under "Directory -> Groups" click on "Add Group".

  • Give this group a name and group description that makes sense for your mapping.
  • DivvyCloud requires unique remote group names so keep this mind when creating.

3. Locate your new group by searching for the name, and clicking on it to open the Group details.

4. Select "Assign People" to add/remove the desired group members.

  • Clicking the "+" next to their name to add them to the group.
    • Note if a user is already added to the group they will not come up in a search.
  • Make any changes desired to this group and then click "Done".
  • Store this group name in a safe place to complete your setup in DivvyCloud.

DivvyCloud Setup for LDAP

Refer to the steps below to complete the required configuration for LDAP using Okta within DivvyCloud.

1. In DivvyCloud, navigate to "Administration --> Identity Management" and open the tab labelled "Basic User Groups".

2. Click "Add Basic User Group", name your new group as desired, and click "Submit"

  • This field will populate the DivvyCloud Group name when you configure your Group Mapping (these must match and are case sensitive).

3. Click on the "Actions" menu to the left of your new/target group name to select "Manage Basic User Entitlements" and access those settings.

User Groups - Manage Basic User Entitlements

❗️

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Permissions Entitlements for details.

4. Navigate to "Administration --> Identity Management" and select "Authentication Server". Click on "Add Server" to create a new authentication server.

  • Select a Server Nickname (name)
  • Select LDAP
  • Select the Global Scope checkbox if you want to use this server across multiple DivvyCloud Organizations. Learn more about Organizations.

5. Complete the details for the LDAP Authentication Server including the following fields:

  • Server Host/IP
  • Server Port
  • Select/Enable "Secure Server" (Note: enabling this is required)
  • Admin Username
  • Admin Password
  • Base user DN (the LDAP string for the base search)
  • Checkbox "Enable periodic user provisioning" - will sync provisioning hourly.
    • JIT requires this to be enabled to function correctly.

6. Click "Submit" once you have completed the LDAP server details.

7. Click on the "Actions" menu to the right of your newly created server and select "Update Group Mappings".

Authentication Servers - Updating Group Mappings

8. Complete your Group Mappings as desired.

  • Click on the "+" at the top to add additional lines.
  • Domain Admin and Organization Admin fields already exist as presets.
    • Important note: even with mapped "groups" associated these mappings simply establish the Domain and Org Admin users. These aren’t technically groups, and as such you will have to locate them by name individually to modify or update them.

9. Click "Submit" to complete your Group Mappings. 


  • If you do nothing, Okta will sync hourly and update your mapping.
  • To manually sync click the actions menu and select "Synchronize Users"
  • You can verify the sync by checking out the "View Logs" option under the actions menu, or by visiting the "User Groups" tab to watch the user count increase.

Configuring JIT for SAML

DivvyCloud Initial Setup (Authentication Server) for SAML

Refer to the steps below to complete the initial required configuration for SAML using Okta within DivvyCloud.

1. Navigate to "Administration --> Identity Management" and select "Authentication Server".

2. Click on "Add Server" to create a new authentication server.

  • Select a Server Nickname (name)
  • Select SAML
  • Select the Global Scope checkbox if you want to use this server across multiple DivvyCloud Organizations. Learn more about Organizations.

3. At this point you will need to return to Okta with the URL information provided in this form, for example:

  • https://baseurl.net/v3/auth/provider/saml/19/acs
  • https:/baseurl.net/v3/auth/provider/saml/19/metadata/

Creating a SAML Server - Required Configuration Details

Okta Setup for SAML

These steps assume that you have the required URLs from the "Create Authentication Server" window in DivvyCloud.

Refer to the steps below to complete the required configuration setup for SAML using Okta. You can refer to Okta's documentation on setting up a SAML application here.

1. Log in to Okta as an administrator.

2. Navigate to "Applications", select "Add Application", and then click on the "Create New App".

3. On the "Create a New Application Integration" update the SAML configuration details as follows:

  • Platform: Web
  • SAML 2.0

4. Click "Create".

Okta - Add new App5

5. Complete the "Create SAML Integration" details:

  • Provide the App with an appropriate name
  • Add an optional logo

6. Under the General SAML Settings complete the details as follows:

  • You will need to provide the two URLs copied from Step #3 in the DivvyCloud instructions above, for example:
    • For Single sign on URL https://baseurl.net/v3/auth/provider/saml/19/acs
    • For Audience URI (SP Entity ID) https:/baseurl.net/v3/auth/provider/saml/19/metadata/

7. Complete the rest of the form options/settings as desired

Okta - Create SAML Integration

8. In the SAML form, to successfully establish group mapping and create users, you will need to update the "Attribute Statements (optional)". These details enable DivvyCloud to appropriate identify and collect user details.

  • Name: email Value user.email
  • Name: firstName Value user.firstName
  • Name: lastName Value user.lastName

9. In addition we recommend configuring "Group Attribute Statements (Optional)", to help DivvyCloud locate the group information for example:

  • Name: memberOf
  • Starts with: Divvy

Okta Attributes

10. Click "Next" and then click "Finish" to complete the setup of the Okta portion of the SAML integration.

11. From your completed App page, click on "View Setup Instructions" to display the configuration details required to finalize your setup in DivvyCloud.

Example Completed SAML App

DivvyCloud Continued Setup for SAML

These steps assume you are still working from the "Administration --> Identity Management" on the "Authentication Servers" tab with an active window to create a new SAML Authentication server.

Continue from Step #3 above where you copied the required URLS for Okta, moved to Okta, and have returned to Divvy with your completed SAML config details. We are resuming the DivvyCloud setup with Step #4

4. Complete the details for the SAML Authentication Server including the following required fields:

  • Idp Entity ID/Metadata URL
  • SSO URL
  • Idp x509 Certificate
  • Checkbox - Enable JIT user provisioning at login (if selected enables provisioning as soon as the user logs in)
  • Checkbox - Make this the default SSO for JIT user provisioning. (Note: Only one server can be set as the default).
    • If this is enabled, users that don't exist will be redirected to Okta to login.
    • Important - if this option is selected it will prevent you from creating additional SAML integrations.

SAML Form Part 2

5. Continuing completion of the SAML Form

  • SAML attribute name for user groups - This field should be completed the with name you provided in as part of the "Group Attribute Statement"
  • SAML attribute name for displayname (or firstname)
  • SAML attribute name for last name
  • SAML attribute for email

These are the fields you completed as part of the Okta setup - "Attribute Statements (optional)" in Step #8 above.

Additional SAML details

6. Continuing completion of the SAML Form

  • Checkbox - Enable periodic user provisioning (Okta only) - if enabled provides hourly sync with Okta
  • API Key - API Key (token to communicate with Okta)

Additional SAML details

The next fields are optional and can be modified based on your requirements

  • login (default)
  • displayName (default)
  • User profile field to use for last name (optional)
  • email (default)

7. Continuing completion of the SAML Form

  • Checkbox - Update profile (email & display name) on JIT and periodic user provisioning
    • Enabling this field allows DivvyCloud to absorb changes on the Okta side to any usernames or display information. We encourage you to enable this box to allow us to maintain changes that may take place in Okta
    • Name ID Format - to provide user name details for SAML
    • signature Algorithm - to provide SSO provider digital signature details

Additional SAML details

8. Continuing completion of the SAML Form

  • Select any of the checkboxes to enable any desired specific attributes. These are as named, (e.g. nameIdEncrypted - when checked will encrypt the nameId field, etc.)

Additional SAML details

9. Click "Submit" when you have provided all of the necessary details.

10. Navigate to "Administration --> Identity Management" and open the tab labelled "User Groups".

11. Click "Add User Group" and name your new group as desired.

  • This field will be used to populate the DivvyCloud Group name when you configure your Group Mapping (these must match and are case sensitive)

12. Click on the "Actions" menu to the left of your new/target group name to access the "Manage Entitlements" capabilities.

❗️

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Permissions Entitlements for details.

13. Navigate to "Administration --> Identity Management" and select the "Authentication Servers" tab.

14. Click on the "Actions" menu to the right of the line for the server you created earlier and select "Update Group Mappings".

15. Complete your Group Mappings as desired. Click on the "+" at the top to add additional lines.

  • Domain Admin and Organization Admin fields already exist as presets.
    • *Important note: even with mapped "groups" associated these mappings simply establish the Domain and Org Admin users. These aren’t technically groups, and as such you will have to locate them by name individually to modify or update them.

16. Click "Submit" to complete your Group Mappings. 


  • If you do nothing, Okta will sync hourly and update your mapping.
  • If any users logs in it will kick off the synchronization process.
  • To manually sync click the actions menu and select "Synchronize Users"
  • You can verify the sync by checking out the "View Logs" option under the actions menu, or by visiting the "User Groups" tab to watch the user count increase.

FAQ

Note if your issue or concern is not included here or you need assistance with this feature reach out to [email protected].

What happens if an existing DivvyCloud user is moved out of all mapped groups?

DivvyCloud users are marked inactive if they no longer have membership in any mapped groups. The user is reactivated if added to a mapped group later.

What happens if a new user is included in a mapped group in the authentication server?

DivvyCloud creates a user and places this user in the appropriate mapped group(s). Sync hourly job will create the User in next run. To manually sync click the actions menu and select "Synchronize Users" by going to Authentication server setting in DivvyCloud.

What happens if a user is included in multiple mapped groups?

Admin groups are treated differently than basic user groups. A summary of how group mappings are handled is below.

  • If a user is in a Domain Admin group, the user will not be placed in Organization Admin group or any basic user groups in DivvyCloud, regardless of membership in these groups on the authorization server
    • Note that if a user is in both Organization and Domain Admin groups, the user will be a Domain Admin (only) in DivvyCloud
  • Users who are not Domain Admins (e.g. an Org Admin) can be members of multiple basic user groups.

What happens if a user is not included in any mapped groups?
If a existing user is not mapped to any groups, they are marked as "disabled" within DivvyCloud. Disabled users will do not appear in typical administrative displays (e.g. under "Identity Management --> Users").

User names are unique so if a disabled user attempts login:

  • It won't work and;
  • An administrator will not be able to recreate them with the same name

In this case return to Okta to ensure they're properly configured (add them to the appropriate group) and their credentials will sync through the appropriate mapping (e.g. LDAP or SAML).

  • You can force a sync by revisiting the Actions menu for the applicable server once any configuration issues have been resolved.

What are the pros and cons of scheduled sync and sync-at-login?
Note: this is only an option for SAML.

Scheduled sync and sync-at-login can be used independently or together, depending on your requirements and the availability of authentication server credentials.

Scheduled Sync Pros:

  • Keeps DivvyCloud fully synced with the authentication server
    • Including deactivation of users who no longer have access to DivvyCloud ( which is helpful for audit around account users that have left)

Scheduled Sync Cons

  • Updates on the authentication server side can take up to an hour to propagate to DivvyCloud
    • DivvyCloud admin has an option to initiate an on-demand sync.
  • Requires the DivvyCloud admin to provide an authentication server credential for DivvyCloud to use when fetching updates from the authentication server

Sync-at-login Pros:

  • Users see effects of authentication servers immediately when they log in
  • Does not require authentication server credentials
  • With some SAML providers, will not require any extra configs on SAML provider side

Sync-at-login Cons:

  • Authentication server updates are not propagated to DivvyCloud unless a user logs in
  • May require configuration for SAML provider to put required attributes in SAML assertions

What happens to existing DivvyCloud user login sessions if the sync changes user entitlements?

For scheduled synchronizations, all of a user’s sessions are terminated if:

  • A user loses all access to DivvyCloud as a result of the update, or
  • The user has a decrease in admin privileges

For sync-at-login, all existing user sessions are terminated if:

  • Any changes are made to the user’s group memberships. Since the user is in the act of logging in, and will get the up-to-date permissions, the UX impact of removing other sessions for the user is minimal.

Updated about a month ago

Just In-Time User Provisioning (Authentication Server Support)


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.