Integrating with Other IdPs

Application Visibility can be integrated with IdPs other than Microsoft Entra ID and Okta, to authenticate end users and administrators logging into the Application Visibility platform, and to gather information on applications.

Once integrated with your IdP, Application Visibility can:

• Allow the browser extension and Application Visibility administrators to authenticate against the IdP.
• Support listing user accounts, applications, and related user activity in the admin portal.

Notes

• When integrating with an IdP other than Microsoft Entra ID or Okta, the browser extension cannot retrieve the list of onboarded applications, therefore Application Visibility cannot parse the SSO logs.

  Most applications and accounts will still be detected by the browser extension, unless they are:

  • Completely inactive, or;
  • Used exclusively outside of managed browsers.

• Because real-time correlation with IdP SSO events is not available, the browser extension is unable to determine the login method for these IdPs. As a result, it is not possible to automatically detect local access to applications that are SSO-enabled.

  Advanced administrators can still investigate potential local access by:

  • Reviewing activity logs for suspected applications.
  • Focusing on “Credentials submitted” events.
  • Examining the destination URLs to which credentials are submitted, which may indicate local authentication paths.

You will first configure an OIDC application in your IdP to allow browser extension authentication, and then deploy your tenant ID to the browser extension on your endpoints using your MDM solution.

Configuring an OIDC application in your IdP and Application Visibility

Create an application in your IdP to support OIDC-based authentication for browser extensions, and integrate with Application Visibility. This allows the extension to sign in transparently without additional user interaction.

1. Log into your IdP.
   • Create a new dedicated OIDC application for Application Visibility. Enter the redirect URI as https://auth2.savvy.security/self-service/methods/oidc/callback.
2. Copy the information from the Client ID, Client Secret, and Issuer ID fields. You’ll need this information when you configure the IdP in Application Visibility.
3. In Application Visibility, go to Settings > General Settings > Identity Provider.
4. Select Add.
5. Select OpenID.
6. On the Identity Provider page, complete the following:
   • Client ID – The Client ID from your IdP.
   • Client Secret - The Client Secret from your IdP.
   • Issuer URI - The Issuer URI from your IdP.

Deploying a PowerShell Script using MDM

These generic instructions describe how to deploy a PowerShell script using a Mobile Device Management (MDM) solution. The MDM pushes the PowerShell script to managed Window’s endpoints and executes it remotely with administrative privileges. This is the recommended method.

Creating a PowerShell script

1. Create a .ps1 file containing the registry configuration.

   An example script provided below. Replace <YOUR-TENANT-ID> with the actual tenant value provided to you during onboarding.

   Example Powershell Script

   $tenantId = "<YOUR-TENANT-ID>"
   
   $paths = @(
     "HKLM:\Software\Policies\Google\Chrome\3rdparty\extensions\ckdibgmbbhmafmjpjmknleccgcddanan\policy",
     "HKLM:\Software\Policies\Microsoft\Edge\3rdparty\extensions\ckdibgmbbhmafmjpjmknleccgcddanan\policy"
   )
   
   foreach ($p in $paths) {
     if (!(Test-Path $p)) { New-Item -Path $p -Force | Out-Null }
     New-ItemProperty -Path $p -Name "TenantID" -Value $tenantId -PropertyType String -Force | Out-Null
   }
   

2. Save the .ps1 file as set-tenant.ps1.

Uploading Script to your MDM

In your MDM admin console:

1. Go to Device Management or Scripts.
2. Select Add Script, Run Script, or PowerShell Script.
3. Upload the .ps1 file.
4. Select the target device group, for example All Windows devices.

Configure Execution Settings

In your MDM admin console, configure the following settings:

Setting Type	Setting
Run as	SYSTEM/Administrator
Execution Frequency	- Run once (recommended) - Run at every check-in (if you want enforcement)
PowerShell mode (If supported by your MDM)	- Run in 64-bit PowerShell - Execution policy bypass - Run silently
Assigning	- Device group, or - All managed Windows devices Note: Most MDMs will execute scripts at next endpoint check-in, or immediately if the device is online.

Verifying Deployment on Endpoint

After deployment, you can verify that the script was successfully applied on a Windows endpoint.

To verify deployment using registry check:

1. On the endpoint, open regedit.

2. Locate the following registry path for your browser:

   • Google Chrome - HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome\3rdparty\extensions\
   • Microsoft Edge - HKEY_LOCAL_MACHINE\Software\Policies\Edge\Chrome\3rdparty\extensions\

3. Verify the TenantID key value matches your tenant ID.

To verify deployment using PowerShell:

1. On the endpoint, open PowerShell.

2. Run the following command:

   Get-ItemProperty "HKLM:\Software\Policies\Google\Chrome\3rdparty\extensions\ckdibgmbbhmafmjpjmknleccgcddanan\policy"

3. Verify the TenantID key value matches your tenant ID.

Troubleshooting Script Deployment Issues

Issue	Action
Script did not apply	Check: - Device is enrolled in MDM - Device is online - Script assigned to correct group
Access denied error	Ensure script runs as SYSTEM/Administrator
Registry key exists but not applied	Restart browser to read new policy