SAML Provisioning and DeProvisioning

Planejada

Comentários

40 comentários

  • Comentário oficial
    Avatar
    Douglas Freeman

    Hello all, 
    I am happy to announce that SCIM provisioning is now available although it is only supported for Azure.

    You can find the documentation on how to utilize SCIM provisioning here!!

    Note:

    If you go to enable SCIM provisioning and it is not available please note that we are incrementally releasing this across the platform so you may see it in a few days if you do not see it right now!

    I do recognize that this request does mention OKTA so I'll keep this ticket open for our development team to see any additional requests and for additional contributors who want to make their voice heard! 

    If you have additional questions feel free to submit a support request by emailing support.knowbe4.com

    Or give us a call:

    United States: +1 855-815-9494
    Mexico: +52 800-283-3201
    El Salvador: +503 2136-1126
    Phone support is available weekdays from 6 a.m.-9 p.m. (Eastern)

    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Hey David! 

    Thank you for posting to the community board! 

    If you're using SAML I can see how full provisioning could be a much better way to get user information into the console rather than using a CSV or Active Directory. 

    I'm sure this is something our Dev team would be interested in so I've submitted a feature request for review on this item.

    Thank you again for contributing let us know if you have any additional items to contribute to the board! 

    1
    Ações de comentário Permalink
  • Avatar
    David Harman

    The big key here is that AD Sync is not available to many organizations which is currently the only automation that exists for onboarding a user in a useful manner.  

    0
    Ações de comentário Permalink
  • Avatar
    Dave Brock

    Based on my understanding of the current Okta/SAML integration, users will have to log into KB4 via their IdP, after which the account in KB4 will be automatically and immediately provisioned. This means that we cannot begin doing any activity with our users UNTIL they log in. So it is completely on them to complete this activity in order for the administrators to begin configuring any training.

    Is this correct?

    0
    Ações de comentário Permalink
  • Avatar
    David Harman

    No you can use the Import Users function and the email address there to provision them in the system.  However you then have to go back and edit them to get the attributes set. 

    0
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Hi Dave, 

    I can offer a little insight there. 

    You are correct that a KnowBe4 account will be created when a user logs in via the IdP. So there are two ways to navigate this. 

    1. You allow the users to sign in and allow the console to provision them prior to assigning any training as you said above which can admittedly be clunky. 

    2. You can set up training campaigns or use our smart groups feature that will capture the users when are provisioned and automatically assign them training. 

    Here is the documentation on how to use Smart Groups

    An example:

    Here any user that is provisioned by the IdP will be assigned the training as long as they are in the group associated. In the below example I used the catch-all group "All Users". So ANY provisioned going forward would get added to the below campaign. 

     


    Currently, we don't have full provisioning so the best option will still be to load those users prior to any training/ phishing campaigns. 

    I hope this helps! 

    0
    Ações de comentário Permalink
  • Avatar
    Andrew Meyercord (Editado )

    This would be a very useful feature to have. We use Okta lifecycle management which uses SCIM to provision and deprovision users, as well as to ensure that user properties are kept up-to-date across all of our hosted applications. With KnowBe4, we use AD sync instead, since that's the only option available to us, but one of many ways this falls short is in the timing of new user onboarding.

    I usually stage accounts for new users days or weeks before they actually start. I can then schedule the user's start date in Okta and have it create or update the accounts with our service providers on their first day. If this worked for KnowBe4, the user could be added to the new user training campaign and the timer would be relative to their start date. But with AD sync, as soon as I create the account in AD, it syncs to KB4 and the timer starts on their campaign deadline relative to the creation date instead of the start date.

    It would be infinitely easier to simply use the automated processes at Okta to provision the KB4 user account on the user's start date and then the training deadline will be correct.

    1
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Hey Andrew, 

    Thank you for contributing to our community board I can completely see how this would be a great improvement for you. I may be able to address the issue with your users being created or starting and then immediately receiving training. You should be able to mitigate this with Smart groups. 

    The idea here is that you create a training that you would like your new users to enroll it and set the enrolling group your smart group. 

    The smart group will be set with a delay that will not bring the users in until that delay criterion is met. 

    As you can see above I set a 10-day delay for the enrollment into this group. Giving your organization a nice buffer between account creation or start date and when the training is officially assigned. 

    This might work for your needs but is not the solution that you requested so I'm submitting a feature request on your behalf. 

    I again appreciate the contribution and look forward to anything else you can suggest that would bring more value to the platform! 

    0
    Ações de comentário Permalink
  • Avatar
    Randy Hanooman

    I've been asking for this for 2+ years. I don't understand why this isn't a priority. CSV's are not a great way to manage this as our organization grows

    4
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman (Editado )

    Hello Randy, 
    I'm glad to let you know that we are planning a Q3 Beta for SAML provisioning and a full release in Q4. These are of course not set in stone but we are planning and implementation of this item!

    Thank you for your feature request and I'm hoping that we can meet what you've been requesting here very soon!

    1
    Ações de comentário Permalink
  • Avatar
    David Harman

    Douglas if you are looking for testers of this that use Okta as an Idp so the y'all can validate the Okta app as well please let me know.  We are VERY interested in this as it's a timeconsuming manual process to add / remove users now.  I'm hoping the solution dev is working on includes adding AND archiving users for the full lifecycle management.

    3
    Ações de comentário Permalink
  • Avatar
    Douglas Freeman

    Hey David, 

    Thank you I'll reach out to see when our Beta for this item is starting and see if we can't get you added to the list!

    I appreciate the contribution and the offer to be one of our Beta testers! 

    0
    Ações de comentário Permalink
  • Avatar
    Zack Moody

    We would also like to be on the Beta list if you're still accepting. We have been needing this for a while now and it has inhibited full adoption of the product.

    0
    Ações de comentário Permalink
  • Avatar
    Jennifer Wescott

    OneLogin here org here, but echoing everything everyone says above. Thank you!

    0
    Ações de comentário Permalink
  • Avatar
    Khalid Osmani

    Any update on this? It's really hard to believe it has been a year they are working on this yet it's still not supported in Okta. 

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Khalid,

    Thanks for your interest in this. Currently, this is in a closed Beta but is still very much being worked on and is something we will be excited to release in the future!

    0
    Ações de comentário Permalink
  • Avatar
    Khalid Osmani

    @Walter, any updates on this. Is it still in Beta?

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Khalid,

    We are no longer doing the beta for this. We did learn a lot from it though and are looking to implement our findings when we go to a full release later this year.

    1
    Ações de comentário Permalink
  • Avatar
    Chester Banaszak

    Azure is great and all, but Okta is a pretty popular identity provider. We've had KB4 for years but have been waiting patiently to finally do user provisioning in our tenant for Okta, and it's still tumbleweeds out here waiting for it and trying to rig up some automated exports of CSVs out of Okta to manually import into KB4. It's 2021 now- SCIM provisioning should be easily achievable! 

    2
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Chester,

    Thanks for your interest in this feature. This is something we are planning to do and is being worked on. Hang in there this is coming!!  

    0
    Ações de comentário Permalink
  • Avatar
    Stephen Mastin

    We are getting closer to being halfway through 2021. Is there any update on this being officially supported?

    I was able to create my own SCIM integration with Okta based off some of the Azure docs, really the only issue is that it doesn't get a proper response code that it added the user. Okta just sees it that it didn't provision the user correctly even though they are all in KB4. 

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Stephen,

    I can definitely see this is a feature you are interested in and have made sure you are added to it as a +1. This is still something we are planning to do.

    0
    Ações de comentário Permalink
  • Avatar
    Karen Huffman

    Reading through all the comments. We are Okta & KB4 users as well and have been hoping for the full lifecycle management of accounts as well. Please add me to any notifications about this. Thank you.

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Karen,

    Thanks for posting. I've got you added to this as well.

    0
    Ações de comentário Permalink
  • Avatar
    Rsantos

    Please add me too Walter!  I've been following this thread for this very feature.  Thanks!

    0
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Robert,

    That's fantastic! I've got you added to this feature request.

    0
    Ações de comentário Permalink
  • Avatar
    Vyawahare, Prafulla

    Please add me too. SAML provisioning is very important and expecting KnoeBe4 to support a wide range of technologies so that many clients can get benefited. 

    0
    Ações de comentário Permalink
  • Avatar
    Kivi Dennis

    Hi Prafulla,

    Thanks for your post. I have added you on as a +1 to the feature request.

    0
    Ações de comentário Permalink
  • Avatar
    Ryan Swimm

    We need SCIM for Okta ASAP. We've been asking for this feature for years.

    1
    Ações de comentário Permalink
  • Avatar
    Walter Nelson

    Hi Ryan,

    Thanks for your interest in this feature. I've got you added to this as well. This is something we are planning to do and I know will be very welcomed by the community!

    0
    Ações de comentário Permalink

Por favor, entrar para comentar.