In Oomnitza, SaaS management integrations tap into the organization's single sign-on (SSO) to access SSO records. When Oomnitza syncs with the SSO management system, it integrates with the SaaS management systems to gain greater insights into user activity.
User management reaps many benefits such as freeing up licenses that are either unused or need to be removed when a user leaves the organization. License management significantly improves security and compliance, and reduces the cost that organizations pay for SaaS systems, which are often licensed based on the number of users who use the SaaS.
- Best Practices: Before you implement
- Best Practices: When you implement
- Best Practices: After you implement
Best practices: Before you implement
Ensure that you complete the following actions:
Enable SSO for the SSO service.
|Restrict access to SSO||Prevent users from bypassing SSO when they login to SaaS systems.|
|Compile contract repository||Compile a list of your organization's SaaS contracts before Oomnitza's SaaS user management is implemented. It will make it easier to manage contracts for the SaaS systems, perform cost modeling for SaaS users, and know which contracts are there, which contracts are missing, and other key information.|
|Request API access||Request API access to the SaaS systems because API permission allocation might take some time depending on the organization. API access is required to manage users, for example, to complete actions such as deleting users from the SaaS system.|
Best practices: When you implement
The following tasks must be completed to implement SaaS user management in Oomnitza:
- Create the SaaS management integration
- Create and upload SaaS contracts
- Remove unnecessary software
- Prioritize SaaS
- Configure workflows for SaaS user management
Reference articles for creating the management integration
- Creating SaaS management integrations
- Creating a SaaS management integration for Azure Active Directory users
- Creating a SaaS management integration for GSuite
- Creating a SaaS management integration for Netskope
- Creating a SaaS management integration for OneLogin users
- Creating a SaaS management integration for Okta
Mitigating the threats posed by shadow IT
Ensure that add an integration user when you create or edit a SaaS Management Integration. When you add a dedicated integration user, it will make it easier for you to track the changes that are made when Oomnitza syncs with a SaaS Management Integration. It will also help you address the challenges posed by shadow IT such as detecting users who access or use unauthorized software.
If an integration user isn’t specified, the integration user is set to firstname.lastname@example.org.
When you sync with the SaaS management systems and the data for the SaaS system is loaded into Oomnitza, you can create or upload the SaaS contracts. You can create contracts manually or you can upload contracts from a spreadsheet or CSV file.
Uploading as many SaaS contracts as possible enables organizations to benefit from many downstream SaaS features that are provided by Oomnitza.
Reference articles for contracts
An average-sized organization uses 25 to 200 or more SaaS systems.
When the SaaS Management integration is completed, the list of SaaS systems might contain some unfamiliar SaaS systems. It is recommended that the SaaS systems that don't need to be monitored or managed in Oomnitza are removed before the more advanced Oomnitza SaaS management features are used. This can be done by either ignoring or archiving the SaaS systems. The SaaS list is often longer when GSuite for SSO is used because many sites offer SSO with GSuite. Whereas other SSO solutions require certificates to be exchanged before granting SSO access.
There is a difference between ignoring and archiving unnecessary SaaS systems. Ignoring the SaaS system will not account for current or new active logins. Archiving will remove the SaaS system. However, if a new SSO record comes in, it will be activated again. A general rule of thumb is:
- Ignore the SaaS system if it is being used by the organization but is free or if it is not important enough to track.
- Archive the SaaS system if it is no longer being used by the organization
Prioritize the SaaS systems
After ignoring or archiving SaaS systems, it is recommended that the list of actively used SaaS systems and the SaaS users that have logged into the SaaS systems using SSO in the last 6 months is organized.
You can prioritize and identify the top SaaS systems using criteria such as:
- The number of users
- The cost of the SaaS system
- The importance of the SaaS system to your organization
Or, you can use a combination of all the criteria.
This will help you to identify the most important SaaS systems, which in turn will help you configure efficient workflows.
There might be gaps in the system and user data. If this is the case, you can manually add all the active users in an organization to the SaaS system. The SaaS user role workflows can then manage the detection of active users in Oomnitza.
SaaS user records won't be loaded if the following conditions are true:
- The SaaS users have not logged into the SaaS system.
- The SaaS users have not logged into the SaaS system using SSO for six or more months.
- The SaaS users have not logged into the SaaS System using SSO, but have logged in using their local username and password.
- The SaaS systems are not SSO enabled.
The SaaS management integration for Okta has an advanced detection feature. When it is activated, it detects SaaS users who have not logged in or SaaS users who bypass SSO by logging in with their username and password.
Configuring workflows for SaaS User Management
1. Create a user integration
In order to gain a comprehensive view of the data available from SaaS software, you should run a user integration. User integrations allow Oomnitza to fetch a list of all users from your managed SaaS system. By combining this with the list of active users retrieved from your SaaS Integration, you can identify users who have accounts in your SaaS system but who didn't log in using SSO.
When the user integration is created, ensure that you select User plus SaaS User from the User Selection list. This option creates user records on the People tab and the Software > SaaS tab. Once the user information is added to the Software > SaaS tab, you can create SaaS user management workflows.
For information on running integration and using the User plus SaaS user option see Working with extended integrations.
For information on running an integration, see Running an extended integration.
You can also refer to the vendor integration articles for the configuration steps that are specific to your integration.
2. SaaS user management workflows
Before you configure the workflows, it is important to achieve a complete mirror of users across the SaaS systems in Oomnitza so that the users can be properly managed. This will eliminate the need to manage users individually in each SaaS system.
When this is done, Oomnitza can detect users that have been added and deleted in the SaaS system and use workflows to update the SaaS system.
It is best practice to use several workflows to ensure that the SaaS user records in the SaaS systems stay in sync with the SaaS user records in Oomnitza. The following best-practice workflows should be set up for all SaaS systems:
- A workflow that reads SaaS users and retrieves their role and last activity date.
- A workflow that identifies inactive users.
- A workflow that deletes or deactivates the user from the external SaaS system, such as Okta.
- A workflow that deactivated the user in Oomnitza.
Reference articles for creating workflows
Best practices: After you implement
After the initial implementation of Oomnitza's SaaS user management, it is best practice to periodically review the users, contracts, and SaaS systems in Oomnitza. This will ensure that:
- Users were not created manually in Oomnitza.
- Contracts and SaaS systems details such as renewal dates, license costs, and so on are correctly reported in Oomnitza.
Supported extended integrations.
Submit a feature request. Oomnitza is working on expanding the list of SaaS systems that it supports. If a vendor application is not supported, you can request it by contacting Support.