Aqua SAML supports several advanced features to make user management more convenient.

Just-in-time (JIT) user provisioning

By default, new users must be invited to Aqua (and click the invite link) to create a user account in your Aqua account. However, with JIT enabled, new user accounts can be provisioned on-demand when a user signs in via the SAML provider.

Notes about JIT user provisioning:

  • Any user who can use your SAML application can also log into Aqua. Be sure that you trust users of your SAML application prior to enabling this feature.
  • New user accounts will be placed into the "Default" Aqua group as a standard user. An account administrator can then move them to new groups and assign additional permissions.
  • Users can still be invited from the Users and Groups pages when JIT is enabled.

To enable JIT user provisioning, please contact Aqua Support. Aqua uses up to two trusted domains to verify users. You can provide these domains to Aqua Support, who will connect them to your account.

Enforce SAML sign-in

If requested, Aqua Support can enable the "enforce SAML" option. This option will require all users in your account to sign in via SAML (i.e., their usernames and passwords will no longer be accepted). This option should only be enabled once you have confirmed SAML is functioning properly in your account.

Break-glass user

If requested, Aqua Support can mark one of your users as "break glass" to allow them to bypass the SAML requirements, by signing in to the portal using a username and password. If you wish to enable this feature, please set up a user account for this purpose and then open a support ticket.