Versions Compared

Old Version 1

changes.mady.by.user Victoria Buhler (Deactivated)

Saved on

compared with

New Version Current

changes.mady.by.user Dave Lake

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Page Tree
rootSAML 2.0 / SSO Initial Setup Instructions
spacesZenGRCOnboardingGuide
startDepth1
searchBoxtrue

Note

Submit Request → Please contact support@reciprocity.com to confirm all settings are enabled for SAML prior to continuing configuration.

On this page

Anchor
top-sso-groups
top-sso-groups

Table of Contents
minLevel1
maxLevel1
indent18px
stylenone

Benefits

ZenGRC allows for easy user management directly from common SAML Single Sign-On (SSO) Identity Providers (IdPs), such as Active Directory Federation Services (ADFS) and Okta

Through the creation of matching user groups between ZenGRC and your organization's IdP, users can be managed completely on the IdP level with no management on the ZenGRC side.

Info

SAML group users are not automatically provisioned. The account is created when a user tries to access ZenGRC.

Overview

By enabling group-based role handling on the ZenGRC SAML Settings page, administrators reduce setup time and increase security by only managing users in one place.

Any user in an IdP group corresponding with the identical ZenGRC group can log in to ZenGRC and be allowed access at the appropriate permission level.

At each ZenGRC login, permission changes in the connected SSO IdP are checked and enforced as follows (expand the boxes below):

Expand
titleWhen users are removed from the IdP altogether

They are not allowed to log in to ZenGRC.

Expand
title Users who are still in the IdP, but are not in any of the groups

Will be moved to a "no access" status in ZenGRC.

Expand
title If users are in two groups in the IdP

They will be placed in the ZenGRC group with the greatest permissions

i.e. someone in both the administrator's group and the reader's group will receive administrator privileges in ZenGRC, 

Setting the Connection

Creating a SAML SSO connection between ZenGRC and your IdP must be done in order for group role handling to be enabled.

Info

To set up SAML SSO on your ZenGRC instance,

please see → SAML 2.0 / SSO Initial Setup Instructions.

Enabling Group-Based Roles

After setting up SAML SSO, there are additional steps in your IdP and ZenGRC instance to enable groups.

IdP Set Up

The last step in your IdP is to add an attribute called "groups." Each IdP differs in navigation, but the following shows an example page where attributes are added.

Note

IMPORTANT → The attribute must be lower case and without quotes; otherwise, the connection will prompt an error.


The XML generated when this attribute is added looks similar to the example below:

Code Block
languagexml
<Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
    <AttributeValue>Marketing team</AttributeValue>
    <AttributeValue>ZenGRC-Editors</AttributeValue>
</Attribute>

ZenGRC Set Up

To allow for groups in your IdP and ZenGRC instance to share information, complete the following steps below.

Step 1 →

In the left-hand navigation, click Settings | Authentication.

Step 2 →

Click on Manage Groups.

Step 3 →

Select Enable group-based role handling in ZenGRC.

Step 4 →

Update group names so they are identical in ZenGRC and your organization's IdP. 

Info

TIP → ZenGRC provides default names for you to use; however, they can be changed if needed. Be certain any change made in ZenGRC is also replicated in your IdP.

Back to top

Back to SAML 2.0 / SSO Initial Setup Instructions →