Versions Compared

Version Old Version 4 New Version 5
Changes made by

Tristan Mohn

Tristan Mohn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Page Contents

Table of Contents
indent18px


Live Search
spaceKeyZenGRCOnboardingGuide
additionalnone
placeholderSearch our site
typepage

Benefits

Single sign-on (SSO) provides access to multiple applications with one set of login credentials. ZenGRC ZenGRC allows for easy user management directly from your organization's SSO Identity Provider (IdP).

Overview

The ZenGRC SAML Settings provides an area where groups based on ZenGRC permissions levels can be maintained. By creating groups with the same names in your organization's SSO IdP, users only need to be added at the SSO IdP level, which replicates to ZenGRC and allows users to log in at the appropriate permission level. 

Image Removedthe more common SAML SSO Identity Providers (IdPs), such as Active Directory Federation Services (ADFS) or Okta.

Overview

Through the creation of matching user groups in ZenGRC and your organization's IdP, users can log in to ZenGRC and be allowed access at the appropriate permission level. As long as group names match, this allows complete control of users on the SSO IdP level with no management on the ZenGRC side
 

Image Added

Each time users log into ZenGRC, permission changes in the connected SSO Idp are checked and enforced as follows:

  • If users are not in any IdP group, they may lose permissions in ZenGRC when SAML is enabled.

  • If users are in two groups in the IdP, they will be placed in the ZenGRC group with the greatest permissions. For example, a user in both the administrators group and the readers group will receive administrator privileges in ZenGRC, 

  • When users are removed from the IdP, they are not allowed to log in to ZenGRC.
  • Users who are still in the IdP, but are not in any of the groups, will be moved to a "no access" status in ZenGRC.

Setting the Connection

Creating a SAML SSO connection between ZenGRC and your IdP can only must be done by an administrator with access to bothin order for group role handling to be enabled.

Note
titleIMPORTANT

To set up SAML SSO on your ZenGRC instance, please see Configuring SAML SSO in Your IdP.

Enabling Group-based Roles

To allow for groups in your IdP and ZenGRC instance to share information, complete the following steps:

  1. Select Enable group based role handling in ZenGRC.



  2. Update group names so they are identical in the IdP ZenGRC and ZenGRCthe IdP

    Tip
    titleTIP

    ZenGRC provides default names for you to useruse; however, they can be changed if needed. Be certain any change made in ZenGRC is also updated in the IdP.


Renaming SAML SSO Groups

Group names can be updated or changed if needed; however, if the corresponding group name is not 



Include Page
di:RH Navigation
di:RH Navigation