Version 8.3
Hello All,
We usually get requests from application to also provide Okta group access for SSO along with application access when requested.
What is the best practice to handle application access request and also provide Okta SSO group?
As per our understanding, Roles and BeforeProvisioning Rule can be created.
Thanks
You Can use after provisioning rule to achieve this, check the input operation of ProvisioningPlan account request, if its create and provsioningresult is committed, just call a workflow to add your Okta SSO group and within workflow you can have the plan to add the corresponding okta grouo and execute the plan using provisioner api
Note - Reason for suggesting afterProvisiongRule instead of beforeprovisioningRule is to make sure your application is provisioned then only add the SSO group, it is okay to do within before provisioning rule but you will still have the group if by any chance account creation on application fails
It will be easy if you try to manage one object , all application can be managed via security group , so if you just manage the group from sailpoint then it would be clean and easy .
but if you want to manage both separately then you are correct role / before provisioning rule is the option .
The problem I see with such approaches is - auditing. Yes, it reduces the role count. But, need to create audits with Access Request ID for which reason this Okta group was assigned. Any thoughts around this?
Thanks
Apologies! I didn’t get what you mean in the first line.
We are getting applications with below requirements:
JDBC Connector and entitlements will be requestable via SailPoint along with this for access user needs to get added into an Okta group membership for SSO to the application.
We tried for one app by having a separate Business Role for Okta, with logic in place if user has any app entitlement provision else deprovision. It worked fine. Now, trying to explore better ways (if any), as the number of such app requests are growing.
Thanks
Clubbing SSO role with each application entitlement can lead to role explosion . we use before provisioning rule to perform additional addition of SSO group .
I don’t you need approval for these SSO group , these SSO group should be added automatically with application request . in before provisioning rule you can write the custom logic to get this audited .