Skip to main content
All CollectionsUser Guides
Syncing your IdP groups to Axiom
Syncing your IdP groups to Axiom

Learn how to auto-enroll users, and create scopes based on groups.

Updated over 4 months ago

Overview

  • The IdP sync feature allows you to define your authoritative identity provider, select which groups to keep synced to Axiom, and then use these groups for Scopes.

  • Users who are added/ removed/ disabled from groups on the IdP side, are then automatically assigned/ unassigned from these scopes, and more.

NOTE

Axiom currently does not support nested groups.

IdP sync and user enrollment to Axiom

  • Users can be enrolled to Axiom in two ways:

1. Directly, when they first sign into Axiom using SSO.

2. Indirectly, by being members of an IdP group that has been synced to Axiom.

  • Enrolled users are automatically associated/ disassociated from Scopes to which their groups have been added/ removed (assuming IdP sync is enabled).

  • Enrolled users are also available as the selected Principal for access requests.

  • Users remain enrolled until they are manually removed, regardless of their IdP status.

  • If you want to prevent a user from accessing Axiom, control that through your SSO-IdP configuration. If you want a user to also not be listed in Axiom for others to see, please open a support ticket.

  • Also see user enrollment and scopes examples.

Understanding Scan, and Sync

Scan

Scan is the Axiom process of traversing all resources in an integration and creating a map (graph) of these resources, and their relationships.

In the context of IdPs, this is what allows us to know all the groups that you have, and who are the members (users) in each group.

Scans run automatically once every 24 hours, and can also be initiated manually at any time.

Sync

Sync is the process of updating scopes based on the updated group memberships discovered during Scans.

Syncs always run automatically after Scans, and happen only if you have IdP Sync set up.

Changes in the IdP are not immediately applied in Axiom

The scan+sync mechanism, takes several minutes or more to complete, and by default runs only once every 24 hours.

This means that changes you make in your IdP are not immediately applied in Axiom. If you want changes you made in your IdP to be updated right away, do a manual Scan and sync.

Understanding IdP sync and scoping

Enrolled users cannot do anything in Axiom if they don't have scope (unless they are a upgraded to be an Account Admin).

Learn how to add groups to scopes.

How users are associated to scopes

Users are automatically* associated to scopes when:


Axiom side:

  • You add a group of which they are a member, to a scope.

  • Users can also be directly assigned to scopes (less recommended than managing this via groups). Users who are directly assigned to scopes are unaffected by group sync settings, and IdP changes.

IdP side:

  • You add them as a member to a group that is already assigned to a scope.

  • They are re-enabled in a group that is already assigned to a scope. While they are disabled on the IdP, they are not associated to that scope.

How users are disassociated from scopes

Users are automatically* disassociated from scopes when:

Axiom Side:

  • A group they are a member of is removed from a scope (does not affect direct assignments to scopes).

  • The group they are members of is removed from the sync configuration (does not affect direct assignments to scopes).

IdP side:

  • The user/s are removed from a group (that in Axiom is associated to the scope).

  • The user/s, or the group they are members of, are deleted (not common but can be done in some IdPs).

  • The user/s are disabled:

    • Users will be removed from all scopes to which they were associated both directly and via group membership.

    • In case the user is re-enabled, and s/he is a member of a group that is associated to a scope, then that user will automatically* assigned to the scope/s. NOTE: the user will not be reassigned to scopes that he was previously directly associated to.

* Automatically = after the next successful Scan, and Sync.

Step-by-step guide to configuring IdP sync

  1. Go to https://app.axiom.security/idp

  2. Select the IdP you wish to set as your authoritative IdP

    1. If you have not yet integrated any IdP, do that first

  3. If you have just completed integrating your IdP you may need to wait until the first Scan is completed

  4. Select groups to sync:

    Select the groups you wish to keep synced to Axiom by marking them and pressing the [>] button. You can move groups back and forth and nothing will be set until you press the Begin sync button.

  5. To finalize your settings, press the Begin sync button and confirm your selection in the dialog that appears

NOTE!

Once you confirm your sync settings, the only way to change the selected IdP is through a support ticket, which can take a week or more to process! You can change the synced groups at any time.

Changing your IdP sync settings

To change which groups are synced to Axiom:

  1. Go to the IdP Sync status page

  2. Press the edit button on the "Synced groups" card

  3. Modify the groups you want to keep synced by searching, checking boxes, and using the arrows.

  4. Once you save your changes, a resync will happen, and you will be directed back to the IdP Sync status page

Related Articles
Users
Release Notes 2024
Axiom Scopes
Identity and Access Management in Axiom
Getting Started with Axiom - Account Owners and Admins
Did this answer your question?