In aqua CSPM ( environments where the SSO authentication method is enabled it is not possible to authenticate using username and password or through the SAML method to collect the Bearer Token in order to use this information to authenticate with Aqua CSP API (Workload Protection), and this article explains the limitations and how we can use a workaround to make authentication possible so that we can generate Bearer Token for authentication and create API calls.

CSPM API Limitations:

So far, authentication via the API for users who use SSO exclusively is not supported, and the authentication method described in this tutorial requires the user to authenticate to Aqua CSPM using a username and password without disabling the SSO authentication method.


Important: This step cannot be done manually by the user and, for this reason, the customer must create a ticket directly with Aqua support for this option to be modified according to the customer's request.

To make this authentication possible, we need to disable the "SAML Enforced" feature in the main menu > Account Management > Single Sign On, so Aqua CSPM will allow both user and password authentication and the SSO authentication method.

However, in some cases the customer may not want to expose all users to this method, in which case the user can choose a user or create a unique user just for API interaction only, then send the request to Aqua support so that we can disable the option "SAML Enforced" exclusively for this user in order not to create problems for our customers.