Question - Can an SSO act as Identity Provider for Eramba

sana.faiyaz · March 23, 2023, 9:36am

In the learning module of Acces management it is mentioned that

"All users need an account in eramba even if they authenticate using an external service. "

Also in the learning video of “Introduction to SAML Authenticator” the presenter creates a user account in eramba as well. and just uses Azure SAML for authentication and redirection.

So in our company we are using OKTA SAML authentication. Just as confirmation, I cannot use any SAML provider as an Identity Provider right? Ill need to create their account in eramba as well?

Like eramba cannot pick up my user ID and password from OKTA so that i do not have to go and create account for all employees in the eramba as well.

jonas.von.scholten · March 23, 2023, 10:51am

There is no directory sync with SAML providers if thats what you mean!?

You tell the SAML connector what schema should be used to validate SAML tokens, like username or email… that is default SAML behavior.

you can do csv import if you need to create users in bulk.

sana.faiyaz · March 23, 2023, 11:19am

yeah. meant that.

oh okay got it. Thanks.

david.schroth · March 23, 2023, 11:43am

Potential plot twist:

You can interface with Okta via LDAP and you can auto provision/deprivation users based on group membership within eramba. The downside here is that you lose the one click SAML login button, so users will just have to use their username and password. I believe you can still do MFA with Okta in this scenario, but I haven’t tested it (or… this idea at all).

(Ninja edit… I wonder… If both can be used at the same time actually… LDAP group sync but SAML as the authenticator).

dzl · March 23, 2023, 2:07pm

We use LDAP sync for accounts and then use Microsoft SAML for authentication and works seamlessly.

kisero · March 23, 2023, 3:49pm

im often scared when i see people creating many accounts in eramba…%99 of the times you only need 2 x number of departments in the scope of your GRC program.

if your company has 10 department, that is 20 accounts.

david.davis · March 27, 2023, 8:35am

Well, if you publish all your company policies on Eramba’s policy portal, you could well want all your staff to log in there (particularly if certain policies are only for the eyes of certain staff)

sana.faiyaz · March 27, 2023, 11:47am

If I have all my policies are in Eramba then ill need to give access to all employees in the org. that would be like 800+ users. so would need to create accounts for them all in Eramba it seems.
plus then. our policy review cycle is also cross-functional.

Seems like i can use LDAP sync. but that’s about it.

kisero · March 27, 2023, 11:56am

this does not sound correct, what you are trying to achieve by having the policies in eramba that requires everyone to have access to them?

dzl · March 27, 2023, 1:17pm

We have all of our policies and other security related documents in Eramba for managing them and assign various people who are responsible for owning and reviewing them, obviously these need access. Along with this we allow all our employees to view the documents on the policy portal, but with access controlled by the LDAP groups as we don’t want to make it public with no authentication. This makes great use of the Policy Portal, unless I have it wrong and it’s for another use!

kisero · March 27, 2023, 3:24pm

try this episode to make sure we are talking about the same: Access Management | Eramba learning portal

in particular, who needs an account?

this does not require local accounts in eramba…just LDAP.

dzl · March 27, 2023, 4:11pm

We use LDAP to automate our accounts and use groups, we don’t use or create local accounts except for the Online Assessments module where external users will need to login to complete the assessment.