Live Search spaceKey ZenGRCOnboardingGuide additional none placeholder Search our site type page
Benefits
Single sign-on (SSO) provides access to multiple applications with one set of login credentials. ZenGRC
| Note | ||
|---|---|---|
| ||
Please contact support@reciprocitylabs.com to confirm all settings are enabled for SAML prior to continuing configuration. |
Benefits
ZenGRC allows for easy user management directly from common SAML Single Sign-On (SSO) Identity Providers (IdPs), such as Active Directory Federation Services (ADFS) and Okta. Through the creation of matching user groups between ZenGRC and your organization's SSO Identity Provider (IdP).
Overview
The ZenGRC SAML Settings provides an area where groups based on ZenGRC permissions levels can be maintained. By creating groups with the same names in your organization's SSO IdP, users only need to be added at the SSO IdP level, which replicates to ZenGRC and allows users to log in at the appropriate permission level.
IdP, users can be managed completely on the IdP level with no management on the ZenGRC side.
SAML group users are not automatically provisioned. The account is created when a user tries to access ZenGRC.
Overview
By enabling group-based role handling on the ZenGRC SAML Settings page, administrators reduce set up time and increase security by only managing users in one place. Any user in an IdP group corresponding with the identical ZenGRC group can log in to ZenGRC and be allowed access at the appropriate permission level.
At each ZenGRC log in, permission changes in the connected SSO IdP are checked and enforced as follows:
If users are in two groups in the IdP, they will be placed in the ZenGRC group with the greatest permissions. For example, someone in both the administrators group and the readers group will receive administrator privileges in ZenGRC,
- When users are removed from the IdP altogether, they are not allowed to log in to ZenGRC.
- Users who are still in the IdP, but are not in any of the groups, will be moved to a "no access" status in ZenGRC.
Setting the Connection
Creating a SAML SSO connection between ZenGRC and your IdP can only must be done by an administrator with access to both.
in order for group role handling to be enabled.
| Info | ||
|---|---|---|
| ||
To set up SAML SSO on your ZenGRC instance, please see Configuring SAML SSO in Your IdPsee SAML 2.0 / SSO Initial Setup Instructions [archived]. |
Enabling Group-
based RolesBased Roles
After setting up SAML SSO, there are additional steps in your IdP and ZenGRC instance to enable groups.
IdP Set Up
The last step in your IdP is to add an attribute called "groups." Each IdP differs in navigation, but the following shows an example page where attributes are added.
| Note | ||
|---|---|---|
| ||
The attribute must be lower case and without quotes; otherwise the connection will prompt an error. |
The XML generated when this attribute is added looks similar to the example below:
| Code Block | ||
|---|---|---|
| ||
<Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>Marketing team</AttributeValue>
<AttributeValue>ZenGRC-Editors</AttributeValue>
</Attribute> |
ZenGRC Set Up
To allow for groups in your IdP and ZenGRC instance to share information, complete the following steps:
- In the left-hand navigation, click Settings | Authentication.
- Click on Manage Groups.
- Select Enable group-based role handling in ZenGRC.
Update group names so they are identical in the IdP and ZenGRCZenGRC and your organization's IdP.
Tip title TIP ZenGRC provides default names for you to useruse; however, they can be changed if needed. Be certain any change made in ZenGRC is also replicated in your IdP.
