Guardrails and Directories

Guardrails supports the use of any SSO application to manage authentication into the environment. This includes options such as Azure AD as well as Okta.

LDAP and LDAPS group sync is also supported. However, LDAP and LDAPS directories CANNOT be used to authenticate into the Guardrails application - it is used to pull groups from an on premise or cloud Active Directory and pair them with SAML profiles. This allows simple, widespread management of Guardrails permissions across a large number of users.

Local Directories

Google Directories

SAML Providers

LDAP/ LDAPS Synchronization

Sync Active Directory Groups to SAML Created Profiles

Guardrails uses the concept of a Profile ID Template to map user attributes to a common, Guardrails profile.

Both the Active Directory and SAML Directory directories have an an attribute called Profile ID Template - an attribute pulled directly from the response received by Guardrails when a user authenticates.

To sync groups across directories, simply define the Profile ID Template in both the LDAP/LDAPS directory as well as the desired authentication directory. While this particular section is focused on SAML and AD sync, note that any directory type can have groups mapped - simply match Profile ID Templates!

To enable LDAP Sync, it is also necessary to set the policy Turbot > IAM > Profile > LDAP Synchronization. A simple solution is to set the policy at the root Turbot level to Enforce: Active. This policy can be set at the individual profile level, allowing group syncing for some users, but not others.

However, best practice recommendation is to use the setting Enforce: Delete inactive with 30 days warning. When a user is disabled in Active Directory, the user is also disabled in Guardrails. However, the 30 day grace period allows for administrators to reactivate profiles without having to re-create if issues arise, such as incomplete or incorrect user name changes.