Audience: System Administrators
Content Summary: Any number of identity managers can be configured and enabled for an instance of Immuta. Each identity manager has a specific set of configurations that enables it to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta.
For information about specific identity managers, navigate to the following sections: Built-in (Immuta) Identity Manager, Active Directory, Azure Active Directory, LDAP, OAuth2, OneLogin, OpenID, and SAML 2.0.
Identity managers are used with Immuta to provide authentication and fine-grained user entitlement.
The Immuta IAM can be used as a complete solution for authentication and authorization. Group and attribute values within the Immuta IAM can be used to broker access to projects and data sources. They can also be used to drive policies.
The Immuta IAM is enabled by default, so there are no additional configuration options needed to support this mode.
External identity managers configured in Immuta allow users to authenticate using an existing identity management system and can optionally be used to synchronize user groups and attributes into Immuta. Each identity manager configured in Immuta is assigned a unique identifier, referred to as the IAM ID, and all users, groups, and attributes are associated with exactly one IAM ID.
Identity Manager Options and Configuration
Identity managers can be added from the App Settings page. The following section describes some of the most commonly used features that can be configured for an identity manager.
Each identity manager supports the configuration of default permissions. This configuration setting controls what permissions each user who logs in receives by default. These permissions are applied the first time each user logs in, and any changes to the default permissions will only apply to new users.
In the case where the default permissions are empty, new users will receive no special permissions in Immuta and an administrator will need to grant them any permissions that they need. Alternatively, group permissions may be configured, in which case permissions will be evaluated based on the groups users belong to.
Each identity manager configured has a mapping of attributes from the source system into attributes on the user profile in Immuta.
This example is the profile schema mapping for an LDAP/Active Directory IAM.
Profile schema attributes provide general purpose user information and cannot be used as entitlements for policies.
Identity managers that support group synchronization will have a group schema configuration option. This defines how group attributes are mapped in Immuta.
This example is the group schema mapping for an LDAP/Active Directory IAM.
When an identity manager is configured to synchronize groups you will have the option to define a mapping of groups to Immuta permissions. Users who belong to one of the given groups will be granted the listed permissions automatically.
External Groups and Attributes Endpoint
If desired, an IAM system can be used for authentication and combined with an external REST endpoint to retrieve user groups and attributes. This option provides flexibility in exactly how groups and attributes are associated with users in Immuta.
External User ID Mapping
External IDs for native integrations can be mapped in for Databricks, HDFS, and Snowflake based on attributes from an external IAM system, allowing you to link an external account to the corresponding Immuta account even when usernames do not match between Immuta and the external system. These mappings are defined in the IAM configuration in the App Settings page.
For IAMs where no mapping has been defined (including the BIM), the external user ID mappings can be set manually on the user details page.
Custom IAM Integrations
Immuta's IAM connections are built with a pluggable NodeJS architecture. This architecture allows rapid development of a custom IAM integration to suit your specific needs.
If you plan to implement a custom IAM integration, contact your Immuta support professional for required source code access, full API documentation, and implementation guidance.