Skip to content

Identity Managers

Audience: System Administrators

Content Summary: Any number of identity managers can be configured and enabled for an instance of Immuta. Each identity manager has a specific set of configurations that enables it to communicate with the IAM system and map the users, permissions, groups, and attributes into Immuta. To configure an external IAM in Immuta see the App Settings Page.

This page contains general information about how identity managers are used within Immuta and common configuration options.

For information about specific identity managers, navigate to the following sections: Azure Active Directory, Okta, and OneLogin.

Overview

Identity managers are used with Immuta to provide authentication and fine-grained user entitlement.

The Immuta IAM can be used as a complete solution for authentication and authorization. Group and attribute values within the Immuta IAM can be used to broker access to projects and data sources and to drive policies.

The Immuta IAM is enabled by default, so there are no additional configuration options needed to support this mode.

Best Practice: Identity Access Management

Immuta recommends using an external IAM for user authentication and using Immuta's built-in IAM to manage user attributes.

External Identity Managers and Immuta

External identity managers configured in Immuta allow users to authenticate using an existing identity management system and can optionally be used to synchronize user groups and attributes into Immuta. Each identity manager configured in Immuta is assigned a unique identifier, referred to as the IAM ID, and all users, groups, and attributes are associated with exactly one IAM ID.

IAM Protocol Feature Support Matrix

The table below illustrates the features supported by each IAM protocol.

Feature AD/LDAP SAML 2.0 OpenID Connect 1.0
Read user groups on user login Yes Yes No - it needs an external user info. service.
Read user attributes on user login Yes Yes No - it needs an external user info. service.
Provisioning: SCIM 2.0 Support (users & groups) No Yes Yes
Provisioning: Periodic directory sync (users & groups) Yes No No
Read ALL directory groups for policy authoring Yes Yes, with SCIM. Yes, with SCIM.
Consume attributes/groups from arbitrary sources Yes, with a shim. Yes, with a shim and only if NOT using SCIM. Yes, with a shim and only if NOT using SCIM.
Query Engine SSO support Yes No - Exception: Okta customers can leverage their Okta LDAP interface to authenticate their users with the Query Engine using LDAP, while using SAML/OIDC-based SSO for the Immuta web application. No - Exception: Okta customers can leverage their Okta LDAP interface to authenticate their users with the Query Engine using LDAP, while using SAML/OIDC-based SSO for the Immuta web application.

IAM Solutions Support Matrix

The table below illustrates the providers supported by the IAM protocols.

Provider LDAP SAML 2.0 OpenID Connect 1.0 SCIM 2.0
Active Directory Yes No No No
ADFS This provider only supports authentication with native integrations, meaning users can authenticate to their native integration, but their attributes will not be synced; attributes will only be synced when users authenticate with the Immuta UI. No Yes Yes No
Amazon Cognito This provider only supports authentication with native integrations, meaning users can authenticate to their native integration, but their attributes will not be synced; attributes will only be synced when users authenticate with the Immuta UI. No No Yes No
Azure Active Directory No Yes Yes Yes
Centrify Yes Yes Yes No
JumpCloud Yes Yes Yes No
Keycloak This provider only supports authentication with native integrations, meaning users can authenticate to their native integration, but their attributes will not be synced; attributes will only be synced when users authenticate with the Immuta UI. No Yes Yes No
Okta Yes Yes Yes Yes
OneLogin Yes Yes Yes Yes
OpenLDAP & other LDAP servers Yes No No No
Oracle Access Manager No Yes Yes Yes
Ping Identity Yes Yes Yes Yes

Identity Manager Options and Configuration

Identity managers are added from the App Settings page. Features like default permissions, profile schema, group schema, group permissions, and external groups and attributes endpoint are managed from the App Settings page as well.

Default Permissions

Each identity manager supports the configuration of default permissions. This configuration setting controls what permissions each user who logs in receives by default. These permissions are applied the first time each user logs in, and any changes to the default permissions will only apply to new users.

In the case where the default permissions are empty, new users receive no special permissions in Immuta and an administrator will need to grant them any permissions that they need. Alternatively, group permissions may be configured, in which case permissions will be evaluated based on the groups users belong to.

Configure Default Permissions

Migrating Users

On the App Settings page, Application Admins can migrate user accounts from one identity manager to another.

Migrate Users

Once this setting is enabled, Immuta checks user IDs when users log in against the IAM they are migrating from, so the user IDs for these accounts must match. (For example, if their userID in Immuta's built-in IAM is consumer@example.com, their user ID in the new IAM should be consumer@example.com.) Then, users' profiles will be moved to the new IAM, including their subscriptions, permissions, and pending requests.

If a user does not have an exact user ID match, a User Admin can manually migrate their account.

Migrate Users 2

SCIM Support

Immuta's Best Practices: Sync Attributes and Groups

When enabling SCIM, it is best to enable sync attributes and groups. If this is not done, the IAM performing provisioning will likely continue to try to perform updates that are otherwise blocked.

When configuring a SAML or OpenID IAM, Application Admins can enable SCIM support, which allows these IAMs to automatically create new users in Immuta and keep existing users up-to-date.

Once enabled, the majority of the profile schema fields will be hidden and automatically synced from the SCIM response. The API key will be displayed to be used to configure provisioning in the external IAM. After the configuration is saved, it will be hashed. A new key can be regenerated here if the old key is ever lost.

Enable SCIM Support

SCIM and Azure

  • Different clients can behave differently with SCIM. For example, in some instances, updates in Azure are instantly pushed to Immuta. In others, however, pushes update on a schedule (roughly every 40 minutes), and there is more than one sync event (i.e., users may be updated in the first event and user memberships in another).

  • Administrators will have to disable relevant users in Immuta if they are removed from the Azure IAM, since Azure does not send Immuta these updates.

Attribute Mapping

Attribute mapping for SCIM is slightly different compared to the normal attribute mapping for IAMs. For SCIM mapping, the desired attribute prefix should be mapped to the relevant schema URN:

SCIM Attribute Mapping

In Immuta this attribute would translate from SCIM Schema Attribute: “urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:Test” into Immuta Attribute: “scimuser.Test”

LDAP Sync

LDAP Sync takes an existing and configured LDAP IAM and seeds Immuta with all of its users, subject to the intersection of the IAM's user search filter and the plugin's user search filter. When configuring an LDAP/Active Directory IAM , Application Admins can enable scheduled LDAP Sync; this will allow directory users to be registered within Immuta without the users having to log directly into Immuta.

LDAP Sync

Once enabled, LDAP Sync will automatically provision and sync users from LDAP on an approved schedule. The default is every hour, but can be adjusted to an organization's needs.

Application Admins can also enable pagination for LDAP Sync, which will be a predetermined page size when searching LDAP during this scheduled sync.

For more information see the LDAP Sync page in the Appendix.

Profile Schema

Each identity manager configured has a mapping of attributes from the source system into attributes on the user profile in Immuta.

Example Profile Schema

This example is the profile schema mapping for an LDAP/Active Directory IAM.

Profile schema attributes provide general purpose user information and cannot be used as entitlements for policies.

Group Schema

Identity managers that support group synchronization will have a group schema configuration option. This defines how group attributes are mapped in Immuta.

Example Group Schema

This example is the group schema mapping for an LDAP/Active Directory IAM.

Group Permissions

When an identity manager is configured to synchronize groups you will have the option to define a mapping of groups to Immuta permissions. Users who belong to one of the given groups will be granted the listed permissions automatically.

Group Permission mapping

External Groups and Attributes Endpoint

If desired, an IAM system can be used for authentication and combined with an external REST endpoint to retrieve user groups and attributes. This option provides flexibility in exactly how groups and attributes are associated with users in Immuta.

External User Info Endpoint