Like most companies we have SSO setup for many 3rd party SaaS apps. Our SSO is setup using Azure Active Directory.
Most of our SSO setups with these 3rd party apps require a group to be created in AAD representing the ability to utilize SSO for that app.
At the same time, many of these apps don’t support any sort of automated provisioning, leaving us to set these 3rd party SaaS apps up as Service Desk Integrations (ticket based manual provisioning activities).
So, we then have a ‘two source process’ to setup a user for one of these apps.
- Create an account within the app.
- put the user in that Apps AAD SSO group.
That’s feasible. We have a S.O.P book our access control team uses; and in that apps section of the book, we include that additional “put the user in AAD Group X also”; (Or remove them on a deprovisioning)
It gets messier as we try to optimize. For example, Apps that natively have SailPoint connectors, or support the generic mechanisms (scim, webservice, etc.).
SailPoint can replace that Service Desk Ticket… but… what is the best way to handle that additional “put the user in AAD Group X also” step?
We do have requestable access, so have been using requestable access profiles (and Request Center Applications to organize them).
We have heard that we could switch to exclusively using Roles, as Roles can contain entitlements from multiple sources. But we are unsure if losing the application-based organization or our requestable access would have too much impact.
We have thought about possibly using workflows, but we have about 40 apps that are SSO enabled today and are continuously trying to convert all of our apps whenever possible. This would mean a decent amount of workflows/workflow complexity.
There might be a Provisioning Rule based way to do this also? (I am not familiar with these)
How are people handling SSO enabled third party SaaS apps. (Apps that require entitlements from multiple sources)?