SSO, IDN and Sources – Apps that require an entitlement from more than one source - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community
@KevinHarrington @alexandre_mazars
Talks about how to handle applications that have a ISC connector (Like Box for example) but also your organization uses SSO (like through Azure AD) and that SSO requires a Security group as well. (the idea that access to BOX requires actions in two different sources – AAD (to get the SSO Group) and BOX (to get the user account within the BOX Application).
I lost track of that thread, and it’s now locked, so I’m going to follow up…
- Our organization does not use requestable Roles.
- We use requestable access profiles, organized under applications (for categorization).
- We only use Roles for automated (rule based) access.
One of the replies in that thread talks about using a Role to handle the SSO group.
Set up a role that looks for an active account on the application, and if the user has it - add them to the SSO group for that app.
I like that idea… A person can still request an access profile in box, and then once that access profile is approved and they have an account in that box source, the ‘secondary SSO access profile’ gets automatically added, because a box account was detected by a role.
But what is the role’s selection criteria? For example, there isn’t a “has Account in source” criteria (though it would be nice).
Is there a way to achieve a similar result using the criteria that is there?