Benefits
ZenGRC allows for easy user management directly from the more common SAML Single Sign-On (SSO) Identity Providers (IdPs), such as Active Directory Federation Services (ADFS) or Okta.
Overview
Through the creation of matching user groups between ZenGRC and your organization's IdP, users can be managed completely on the SSO IdP level with no management on the ZenGRC side. As long as group names match, users can log in to ZenGRC and be allowed access at the appropriate permission level.
Each time users log into ZenGRC, permission changes in the connected SSO IdP are checked and enforced as follows:
If users are not in any IdP group, they may lose permissions in ZenGRC when SAML is enabled.
If users are in two groups in the IdP, they will be placed in the ZenGRC group with the greatest permissions. For example, someone in both the administrators group and the readers group will receive administrator privileges in ZenGRC,
- When users are removed from the IdP, they are not allowed to log in to ZenGRC.
- Users who are still in the IdP, but are not in any of the groups, will be moved to a "no access" status in ZenGRC.
Setting the Connection
Creating a SAML SSO connection between ZenGRC and your IdP must be done in order for group role handling to be enabled.
IMPORTANT
To set up SAML SSO on your ZenGRC instance, please see Configuring SAML SSO in Your IdP.
Enabling Group-Based Roles
To allow for groups in your IdP and ZenGRC instance to share information, complete the following steps:
- Select Enable group based role handling in ZenGRC.
Update group names so they are identical in ZenGRC and your organization's IdP.
TIP
ZenGRC provides default names for you to use; however, they can be changed if needed. Be certain any change made in ZenGRC is also replicated in your IdP.
