Aqua SAML supports several advanced features to ease user management.


TABLE OF CONTENTS


Just-in-Time (JIT) Provisioning

By default, new users must be invited to the Aqua (and click the invite link) to create a user account in your Aqua account. However, with JIT enabled, new user accounts can be provisioned on-demand when a user signs in via the SAML provider.


To enable JIT user provisioning, please contact support.


Note about JIT provisioning:

  • Any user who can use your SAML application can also log into Aqua Platform. Be sure that you trust users of your SAML application prior to enabling this feature.
  • New user accounts will be placed into the "Default" Aqua group as a standard user. An account administrator can then move them to new groups and assign additional permissions.
  • Users can still be invited from the "Users & Groups" page when JIT is enabled.


Email Domains for JIT Provisioning

When using JIT provisioning, Aqua uses up to two trusted domains to verify users. You can provide these domains to support who will connect them to your account.


Enforce SAML Sign In

If requested, support can enable the "enforce SAML" option which will require all users in your account to sign in via SAML (i.e. their usernames and passwords will no longer be accepted). This option should only be enabled once you have confirmed SAML is functioning properly in your account.


Break-Glass User

If requested, support can mark one of your users as "break glass" to allow them to sign into the portal using a username and password and bypass the SAML requirements. If you wish to enable this feature, please setup a user account for this purpose and then open a support ticket.