Do I have to use LDAP with Isora GRC?
No. If you aren’t using LDAP, then Isora GRC will use its local database (with locally stored password hashes) to authenticate users, and no authorization or existence checks will be performed.
How does Isora GRC typically use LDAP?
If you are using LDAP in your environment, then you should specify information about your LDAP or AD server to Salty Cloud as part of the on-boarding process, so your Isora GRC instance can be configured correctly to work with your server(s). Isora GRC will use a service account to communicate with the LDAP/AD server to perform the following activities:
...
When you configure Isora GRC for LDAP integration, you will provide details about your LDAP/AD server(s), including login information for Isora GRC’s service account(s), the hostname or IP addresses of the LDAP/AD server(s) and ports used, and attribute:value pairs for any attributes that you want to require to authorize users to use Isora GRC.
How does LDAP relate to Single Sign-On (SSO)?
If your instance of Isora GRC is configured to use SSO, then Isora GRC won’t need to talk to the LDAP server to perform authentication. Instead, it will talk to your Identity Provider (IDP). Either way, Isora GRC will still use the LDAP server for authorization and existence checks.
What if I configure Isora GRC to use Single Sign-On (SSO) but not LDAP?
Your Identity Provider (IDP) is probably still using LDAP/AD on the back-end to authenticate your users, but Isora GRC does not need to access the LDAP/AD server directly in order to use SSO. Isora GRC will use SSO to authenticate users, but without having access to the LDAP/AD server, Isora GRC will not perform any authorization or existence checks. What are the impacts?
Skipping “authorization and existence checks”- You won’t be able to limit which users can access Isora GRC based on LDAP attributes (such as group affiliations). Any user that has an account on Isora GRC will be able to log into the tool. As long as you are careful about which users you create accounts for, this shouldn’t be a problem.
Delegation- You will still be able to add new users to Isora GRC through delegation, but without verifying user information or doing typeahead searching. For example, if you want to delegate to “Bob Jenkins,” and his username is bobjenks but you type in “bobjenkins” (because you misremember his username), a new user account on Isora GRC will be created with username “bobjenkins.” But Bob Jenkins won’t be able to log in, because you’re using SSO, and his SSO username is actually “bobjenks.”
Local passwords ignored- If you use SSO to log in, even if the user has a password defined within Isora GRC, that password will be ignored for the purposes of logging in via SSO. The locally defined password does not have to match your SSO password.
I need help integrating my instance of Isora GRC with LDAP and/or SSO- what should I do?
Reach out to support@saltycloud.com and our support team will guide you through the process. This will involve gathering some information from you, sending you some info, and doing some customization on your instance of Isora GRC. For more info, see Customizing Isora GRC Customization .