SAML Provisioning and DeProvisioning
計画済み
Enable full lifecycle management via SAML. The current implementation only support JIT provisioning and only sync's the email address. A full solution would support the ability to map the other fields identified and help enable automated full lifecycle management. The current solution only creates the users account when they access it the first time and won't sync updates about the users profile.
The specific SAML IdP I'm interested in seeing support for is Okta, however the other major platforms should be able to benefit from the same solution.
-
正式なコメント
Hello all,
I am happy to announce that SCIM provisioning is now available although it is only supported for Azure.You can find the documentation on how to utilize SCIM provisioning here!!
Note:
If you go to enable SCIM provisioning and it is not available please note that we are incrementally releasing this across the platform so you may see it in a few days if you do not see it right now!
I do recognize that this request does mention OKTA so I'll keep this ticket open for our development team to see any additional requests and for additional contributors who want to make their voice heard!
If you have additional questions feel free to submit a support request by emailing support.knowbe4.com
Or give us a call:
United States: +1 855-815-9494
Mexico: +52 800-283-3201
El Salvador: +503 2136-1126
Phone support is available weekdays from 6 a.m.-9 p.m. (Eastern)コメントアクション -
Hey David!
Thank you for posting to the community board!
If you're using SAML I can see how full provisioning could be a much better way to get user information into the console rather than using a CSV or Active Directory.
I'm sure this is something our Dev team would be interested in so I've submitted a feature request for review on this item.
Thank you again for contributing let us know if you have any additional items to contribute to the board!
-
Based on my understanding of the current Okta/SAML integration, users will have to log into KB4 via their IdP, after which the account in KB4 will be automatically and immediately provisioned. This means that we cannot begin doing any activity with our users UNTIL they log in. So it is completely on them to complete this activity in order for the administrators to begin configuring any training.
Is this correct?
-
Hi Dave,
I can offer a little insight there.
You are correct that a KnowBe4 account will be created when a user logs in via the IdP. So there are two ways to navigate this.
1. You allow the users to sign in and allow the console to provision them prior to assigning any training as you said above which can admittedly be clunky.
2. You can set up training campaigns or use our smart groups feature that will capture the users when are provisioned and automatically assign them training.
Here is the documentation on how to use Smart Groups
An example:
Here any user that is provisioned by the IdP will be assigned the training as long as they are in the group associated. In the below example I used the catch-all group "All Users". So ANY provisioned going forward would get added to the below campaign.
Currently, we don't have full provisioning so the best option will still be to load those users prior to any training/ phishing campaigns.
I hope this helps! -
This would be a very useful feature to have. We use Okta lifecycle management which uses SCIM to provision and deprovision users, as well as to ensure that user properties are kept up-to-date across all of our hosted applications. With KnowBe4, we use AD sync instead, since that's the only option available to us, but one of many ways this falls short is in the timing of new user onboarding.
I usually stage accounts for new users days or weeks before they actually start. I can then schedule the user's start date in Okta and have it create or update the accounts with our service providers on their first day. If this worked for KnowBe4, the user could be added to the new user training campaign and the timer would be relative to their start date. But with AD sync, as soon as I create the account in AD, it syncs to KB4 and the timer starts on their campaign deadline relative to the creation date instead of the start date.
It would be infinitely easier to simply use the automated processes at Okta to provision the KB4 user account on the user's start date and then the training deadline will be correct.
-
Hey Andrew,
Thank you for contributing to our community board I can completely see how this would be a great improvement for you. I may be able to address the issue with your users being created or starting and then immediately receiving training. You should be able to mitigate this with Smart groups.
The idea here is that you create a training that you would like your new users to enroll it and set the enrolling group your smart group.
The smart group will be set with a delay that will not bring the users in until that delay criterion is met.
As you can see above I set a 10-day delay for the enrollment into this group. Giving your organization a nice buffer between account creation or start date and when the training is officially assigned.
This might work for your needs but is not the solution that you requested so I'm submitting a feature request on your behalf.
I again appreciate the contribution and look forward to anything else you can suggest that would bring more value to the platform!
-
Hello Randy,
I'm glad to let you know that we are planning a Q3 Beta for SAML provisioning and a full release in Q4. These are of course not set in stone but we are planning and implementation of this item!Thank you for your feature request and I'm hoping that we can meet what you've been requesting here very soon!
-
Douglas if you are looking for testers of this that use Okta as an Idp so the y'all can validate the Okta app as well please let me know. We are VERY interested in this as it's a timeconsuming manual process to add / remove users now. I'm hoping the solution dev is working on includes adding AND archiving users for the full lifecycle management.
-
Azure is great and all, but Okta is a pretty popular identity provider. We've had KB4 for years but have been waiting patiently to finally do user provisioning in our tenant for Okta, and it's still tumbleweeds out here waiting for it and trying to rig up some automated exports of CSVs out of Okta to manually import into KB4. It's 2021 now- SCIM provisioning should be easily achievable!
-
We are getting closer to being halfway through 2021. Is there any update on this being officially supported?
I was able to create my own SCIM integration with Okta based off some of the Azure docs, really the only issue is that it doesn't get a proper response code that it added the user. Okta just sees it that it didn't provision the user correctly even though they are all in KB4.
サインインしてコメントを残してください。
コメント
40件のコメント