Skip to content

Integrating with Identity Providers

SailPoint Accelerated Application Management (SAAM) can integrate with external Identity Providers (IdPs) in order to provide visibility into SaaS usage and risk in your organization. Once integrated, SAAM can:

  • Allow the browser extension and SAAM administrators to authenticate against the IdP.
  • Read the list of SaaS applications that have been installed in your organization, and parse SSO logs to continuously detect SSO’ed accounts.
  • Support listing users and user groups in the admin portal.
  • Review the IdP configuration, such as MFA settings and last password rotation dates.

Integrating with Microsoft Entra ID

The SAAM platform is deployed in Microsoft Entra ID as a multi-tenant application. SAAM uses Microsoft Entra ID API to authenticate end users and administrators logging into the SAAM platform and to gather information on applications integrated with Microsoft Entra ID and their permissions.

You will first establish trust with between SAAM and Microsoft Entra ID, and then create SAAM platform administrators.

To establish trust with Microsoft Entra ID, an Azure Active Directory Administrator with the Privileged role administrator role is required.

To establish trust with Microsoft Entra ID:

  1. Log into the SAAM admin console at https://app.savvy.security/ using your admin credentials.
  2. Go to Settings > General Settings.
  3. Select the Identity Provider tab.
  4. Select +Add.
  5. Select Azure AD.
  6. Select Connect.
  7. If your are an Azure Active Directory Administrator with an admin privileged role, select Open link.
    • Select the checkbox to accept the permissions requested by SAAM. For a full list of requested permissions, refer to Requested Permissions.
    • A confirmation page is displayed confirming trust has been successfully established.
  8. If you are not an Azure Active Directory Administrator with an admin privileged role, select Copy link.
    • Ask your Microsoft Entra ID administrator with an admin privileged role, to click on the copied link and establish trust.
    • Once trust is established, select Connect.
  9. A green dot is displayed confirming that connection was established.

To define SAAM administrators:

  1. Select Settings > Admin Management in the left panel.
  2. Select Add Admin and add users and groups from your IdP who will manage the SAAM platform.
  3. Select the avatar in the top right corner and select Log out.
  4. Log back into the SAAM admin console using an organizational administrator account.
  5. Within the Microsoft Permissions requested page, select Consent on behalf of your organization and select Accept.

Requested Permissions

The following table shows the permissions required by SAAM applications from Microsoft Entra ID.

Microsoft Permission name Description
Directory.Read.All Read directory data
User.Read.All Read all users' full profiles
Application.Read.All Read all applications
AuditLog.Read.All Read all audit logs
Policy.Read.All Read all organizational policies (e.g., Conditional Access, authentication, token policies)
UserAuthenticationMethod.Read.All Read all users' registered authentication methods (e.g., phone, FIDO2, Authenticator app)
email
openid
profile
User.Read		 Log in (OpenID Connect 2.0) and read user's profile

Creating a Privileged Role Administrator in Azure Active Directory

  1. Log in to Azure Portal at https://portal.azure.com/.
  2. Under Azure Services, select Azure Active Directory.
  3. Select Users and select the user that will be used for the SAAM authorization.
  4. From the left panel, select Assigned roles.
  5. Select Add assignment and select the checkbox besides Privileged role administrator.

The role is now assigned to the user. To verify, check that the Resource Name is set to Directory and the Assignment Path is set to Direct.

Integrating with Okta

SAAM uses Okta API to authenticate end users and administrators logging into the SAAM platform and to gather information on applications integrated with Okta and their permissions.

You will first create an app integration in Okta to configure authentication, and then configure a service application.

To configure authentication:

  1. Log into Okta at https://www.okta.com/.
  2. Go to Applications > Applications.
  3. Select Create app integration.
  4. On the Create app integration page complete the following:
    • In the Sign-in method section, select OIDC OpenID Connect.
    • In the Application type section, select Web Application.
  5. Select Next.
  6. On the New Web Application Integration page, complete the following:
    • In the App integration name field, enter SAAM authentication.
    • In the Grant type field, select Authorization Code and Implicit (hybrid).
    • In the Sign-in redirect URIs field, enter https://auth2.savvy.security/self-service/methods/oidc/callback.
    • In the Sign-out redirect URIs field, remove the default URI.
    • In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or to skip assignment until after app creation.
  7. Select Save to save these settings.
  8. Select the Okta API Scopes tab.
  9. Grant the okta.users.read.self scope.
  10. Select the General tab.
  11. Copy the following details from the Okta General tab, into the SAAM admin console Settings > General Settings > Identity Provider:
    • Okta domain
    • Client ID
    • Client Secret

To configure the service application:

  1. Log into Okta at https://www.okta.com/ .
  2. Go to Security > Administrators.
  3. Select the Roles tab.
  4. Select Create to create a new role.
  5. On the Create new role page complete the following:
    • In the Role name field, enter SAAM-Role.
    • In the Description filed, provide additional details about the role and the access it grants.
    • In the Select permissions section, search for "view roles", and add the View roles, resources and admin assignments permission.
  6. Select Save to save the role settings.
  7. Select the Resources tab.
  8. Select Create new resource set.
  9. On the Create new resource set page complete the following:
    • In the Resource name field, enter SAAM-Resource.
    • In the Description filed, provide additional details about the resource.
  10. Select Add Resource.
  11. On the Add Resource page, select Identity and Access Management and then select All Identity and Access Management resources.
  12. Select Save to save these settings.
  13. Go to Applications > Applications.
  14. Select Create app integration.
  15. On the Create app integration page complete the following:
    • In the Sign-in method section, select API Services.
    • In the Application type section, select Web Application
  16. Select Next.
  17. On the New Web Application Integration page complete the following:
    • In the App integration name field, enter SAAM services app.
  18. Select the Admin roles tab.
    • On the Complete the assignment page complete the following:
      • In the Role field, select SAAM-Role.
      • In the Resources set field, select SAAM-Resource.
      • In the Role field, select the Read-only Administrator role.
  19. Select Add assignment.
  20. Select the Okta API Scopes tab.
  21. Grant the following scopes:
    • okta.users.read - Read users for policy matching.
    • okta.groups.read - Read groups for policy matching.
    • okta.apps.read - Read oauth/saml applications to create inventory items.
    • okta.logs.read - Read sign in events.
    • okta.policies.read - Read policies in order to understand MFA status per application.
    • okta.domains.read - Fetching any verified domain.
    • okta.roles.read - Determine role per user, primarily to evaluate if a user is an administrator.
    • okta.appGrants.read - Read all app grants.
  22. Select the General tab.
  23. Select Edit to edit the client credentials.
  24. In the Client Credentials section, for Client authentication select Public key / Private key.
  25. In the PUBLIC KEYS section complete the following:
    • In the Configuration field, select Use a URL to fetch keys dynamically.
    • In the URL field, enter the URL from the SAAM admin console Settings > General Settings > Identity Provider.
    • Deselect the Proof of possession radio button.
  26. Select Save to save the settings.
  27. Select the General tab.
  28. Copy the following details from the Okta General tab, into the SAAM admin console Settings > General Settings > Identity Provider:
    • Client ID
    • Okta domain