Skip to content

Integrating with Identity Providers

Application Visibility can integrate with external Identity Providers (IdPs) in order to provide visibility into SaaS usage and risk in your organization. Once integrated, Application Visibility can:

  • Allow the browser extension and Application Visibility administrators to authenticate against the IdP.
  • Read the list of SaaS applications that have been installed in your organization, and parse SSO logs to continuously detect SSO’ed accounts.
  • Support listing users and user groups in the admin portal.
  • Review the IdP configuration, such as MFA settings and last password rotation dates.

Integrating with Microsoft Entra ID

The Application Visibility platform is deployed in Microsoft Entra ID as a multi-tenant application. Application Visibility uses Microsoft Entra ID API to authenticate end users and administrators logging into the Application Visibility platform and to gather information on applications integrated with Microsoft Entra ID and their permissions.

You will first create an app integration in Microsoft Entra ID to configure authentication, and then create a Privileged Role Administrator.

To establish trust with Microsoft Entra ID, an Azure Active Directory Administrator with the Privileged role administrator role is required.

To configure authentication:

  1. Log into the Application Visibility admin console at https://app.savvy.security/ using your admin credentials.
  2. Go to Settings > General Settings.
  3. Select the Identity Provider tab.
  4. Select +Add.
  5. Select Azure AD.
  6. Select Connect.
  7. If your are an Azure Active Directory Administrator with an admin privileged role, select Open link.
    • Select the checkbox to accept the permissions requested by Application Visibility. For a full list of requested permissions, refer to Requested Permissions.
    • A confirmation page is displayed confirming trust has been successfully established.
  8. If you are not an Azure Active Directory Administrator with an admin privileged role, select Copy link.
    • Ask your Microsoft Entra ID administrator with an admin privileged role, to click on the copied link and establish trust.
    • Once trust is established, select Connect.
  9. A green dot is displayed confirming that connection was established.

Application Visibility admins can now access the Application Visibility portal. For more information refer to Accessing Application Visibility.

Requested Permissions

The following table shows the permissions required by Application Visibility applications from Microsoft Entra ID.

Microsoft Permission name Description
Directory.Read.All Read directory data
User.Read.All Read all users' full profiles
Application.Read.All Read all applications
AuditLog.Read.All Read all audit logs
Policy.Read.All Read all organizational policies (e.g., Conditional Access, authentication, token policies)
UserAuthenticationMethod.Read.All Read all users' registered authentication methods (e.g., phone, FIDO2, Authenticator app)
email
openid
profile
User.Read		 Log in (OpenID Connect 2.0) and read user's profile

Creating a Privileged Role Administrator in Azure Active Directory

  1. Log in to Azure Portal at https://portal.azure.com/.
  2. Under Azure Services, select Azure Active Directory.
  3. Select Users and select the user that will be used for the Application Visibility authorization.
  4. From the left panel, select Assigned roles.
  5. Select Add assignment and select the checkbox besides Privileged role administrator.

The role is now assigned to the user. To verify, check that the Resource Name is set to Directory and the Assignment Path is set to Direct.

Integrating with Okta

Application Visibility uses Okta API to authenticate end users and administrators logging into the Application Visibility platform and to gather information on applications integrated with Okta and their permissions.

You will first create an app integration in Okta to configure authentication, and then configure a service application.

To configure authentication:

  1. Log into Okta at https://www.okta.com/.
  2. Go to Applications > Applications.
  3. Select Create app integration.
  4. On the Create app integration page complete the following:
    • In the Sign-in method section, select OIDC OpenID Connect.
    • In the Application type section, select Web Application.
  5. Select Next.
  6. On the New Web Application Integration page, complete the following:
    • In the App integration name field, enter Application Visibility authentication.
    • In the Grant type field, select Authorization Code and Implicit (hybrid).
    • In the Sign-in redirect URIs field, enter https://auth2.savvy.security/self-service/methods/oidc/callback.
    • In the Sign-out redirect URIs field, remove the default URI.
    • In the Assignments section, select whether to assign the app integration to everyone in your org, only selected group(s), or to skip assignment until after app creation.
  7. Select Save to save these settings.
  8. Select the Okta API Scopes tab.
  9. Grant the okta.users.read.self scope.
  10. Select the General tab.
  11. Copy the following details from the Okta General tab, into the Application Visibility admin console Settings > General Settings > Identity Provider:
    • Okta domain
    • Client ID
    • Client Secret

To configure the service application:

  1. Log into Okta at https://www.okta.com/ .
  2. Go to Security > Administrators.
  3. Select the Roles tab.
  4. Select Create to create a new role.
  5. On the Create new role page complete the following:
    • In the Role name field, enter SAAM-Role.
    • In the Description filed, provide additional details about the role and the access it grants.
    • In the Select permissions section, search for "view roles", and add the View roles, resources and admin assignments permission.
  6. Select Save to save the role settings.
  7. Select the Resources tab.
  8. Select Create new resource set.
  9. On the Create new resource set page complete the following:
    • In the Resource name field, enter SAAM-Resource.
    • In the Description filed, provide additional details about the resource.
  10. Select Add Resource.
  11. On the Add Resource page, select Identity and Access Management and then select All Identity and Access Management resources.
  12. Select Save to save these settings.
  13. Go to Applications > Applications.
  14. Select Create app integration.
  15. On the Create app integration page complete the following:
    • In the Sign-in method section, select API Services.
    • In the Application type section, select Web Application.
  16. Select Next.
  17. On the New Web Application Integration page complete the following:
    • In the App integration name field, enter Application Visibility services app.
  18. Select the Admin roles tab.
    • On the Complete the assignment page complete the following:
      • In the Role field, select SAAM-Role.
      • In the Resources set field, select SAAM-Resource.
      • In the Role field, select the Read-only Administrator role.
  19. Select Add assignment.
  20. Select the Okta API Scopes tab.
  21. Grant the following scopes:
    • okta.users.read - Read users for policy matching.
    • okta.groups.read - Read groups for policy matching.
    • okta.apps.read - Read oauth/saml applications to create inventory items.
    • okta.logs.read - Read sign in events.
    • okta.policies.read - Read policies in order to understand MFA status per application.
    • okta.domains.read - Fetching any verified domain.
    • okta.roles.read - Determine role per user, primarily to evaluate if a user is an administrator.
    • okta.appGrants.read - Read all app grants.
  22. Select the General tab.
  23. Select Edit to edit the client credentials.
  24. In the Client Credentials section, for Client authentication select Public key / Private key.
  25. In the PUBLIC KEYS section complete the following:
    • In the Configuration field, select Use a URL to fetch keys dynamically.
    • In the URL field, enter the URL from the Application Visibility admin console Settings > General Settings > Identity Provider.
    • Deselect the Proof of possession radio button.
  26. Select Save to save the settings.
  27. Select the General tab.
  28. Copy the following details from the Okta General tab, into the Application Visibility admin console Settings > General Settings > Identity Provider:
    • Client ID
    • Okta domain

Application Visibility admins can now access the Application Visibility portal. For more information refer to Accessing Application Visibility.