TABLE OF CONTENTS
Aqua SAML supports several advanced features to ease user management. Continue reading to understand the advanced SSO features supported by Aqua.
Just-in-Time (JIT) provisioning
By default, new users must be invited to the Aqua (and click the invite link) to create a user account in your Aqua account. However, with JIT enabled, new user accounts can be provisioned on-demand when a user signs in via the SAML provider.
To enable JIT user provisioning, please contact support.
Note about JIT provisioning:
- Any user who can use your SAML application can also log into Aqua. Be sure that you trust users of your SAML application prior to enabling this feature.
- New user accounts will be placed into the "Default" Aqua group as a standard user. An account administrator can then move them to new groups and assign additional permissions.
- Users can still be invited from the "Users & Groups" page when JIT is enabled.
Email domains for JIT provisioning
When using JIT provisioning, Aqua uses up to two trusted domains to verify users. You can provide these domains to support who will connect them to your account.
Enforce SAML sign in
If requested, support can enable the "enforce SAML" option which will require all users in your account to sign in via SAML (i.e. their usernames and passwords will no longer be accepted). This option should only be enabled once you have confirmed SAML is functioning properly in your account.
If requested, support can mark one of your users as "break glass" to allow them to sign in to the portal using a username and password and bypass the SAML requirements. If you wish to enable this feature, please set up a user account for this purpose and then open a support ticket.