0

LeanIX and SSO Setup

Sonam Tobgay

June 02, 2020 05:31

None

Follow

Hi,

We have initially opened up LeanIX to all the employees within our Organisation to access LeanIX as default 'VIEWER' user. But now, our management has decided to close the access to all users and restrict it to a certain group of users only.

Is there a way to manage this in LeanIX from SSO setup point of view?

Is it something LeanIX will provide support as part of their support to customers?

Thank you.

Regards,

Sonam

• Facebook
• Twitter
• LinkedIn

4 comments

• 0
  
  Thomas Schreiner, Aronis June 02, 2020 06:28

  Hi Sonam,

  We have set up our SSO scenario the same way. We are using Active Directory + SAML, and we created groups for each role (VIEWER, MEMBER, ADMIN). Whenever a user is in this group, we are setting the "role" attribute accordingly via an ADFS Claim Rule.

  On top of that, we have also created separate AD groups for our ACL memberships (virtual workspaces), but I assume this is beyond your scenario.

  A former version of our setup - without the ACL groups - is documented here: https://dev.leanix.net/docs/sso-with-adfs

  Best regards

  Thomas

• 0
  
  Sonam Tobgay June 02, 2020 10:50

  Hi Thomas,

  We use Open Source WSO2 Identity Server as our SSO platform and this is connected to MS AD. Currently, SSO on LeanIX is setup with WSO2 IS using SAML2 and does not pass the role in the claim. 

  So are you recommending the following:

  Create 3 groups for LeanIX in AD ---> WSO2 IS (pass claims including role value)----> LeanIX.

  Not sure whether LeanIX will have to make some changes within our SaaS instance considering we have not passed role in the SAML2 claim before.

  Thank you.

  Sonam

• 0
  
  Andreas Bosch, McKesson June 02, 2020 11:58

  Hi Sonam,

  we configured a full IDP integration where the role is passed from AzureAD to LeanIX and this really works smoothly. We have three AD security groups (Viewer, Member, Admin) and permission requests are following our standard procedures. This means we would delegate access management for Viewer to first level support, Member is done by the EA team (not all in EA have Admin permissions, but are able to approve access requests in AzureAD), etc.

  Regards, Andreas

• 0
  
  Thomas Schreiner, Aronis June 03, 2020 14:14

  Hi Sonam,

  Yes, that's how I would do it. I don't think that LeanIX will need to change anything on their side, but I would recommend to double-check with support@leanix.net . They have helped us to set up our own SSO scenario.

  Thomas