Turbot and Directories

Turbot supports the use of any SSO application to manage authentication into the environment. This includes options such as Azure AD as well as Okta.

LDAP and LDAPS group sync is also supported. However, LDAP and LDAPS directories CANNOT be used to authenticate into the Turbot application - it is used to pull groups from an on premise or cloud Active Directory and pair them with SAML profiles. This allows simple, widespread management of Turbot permissions across a large number of users.

Local Directories

Google Directories

SAML Providers

LDAP/ LDAPS Synchronization

Sync Active Directory Groups to SAML Created Profiles

Turbot uses the concept of a Profile ID Template to map user attributes to a common, Turbot profile.

Both the Active Directory and SAML Directory directories have an an attribute called Profile ID Template - an attribute pulled directly from the response received by Turbot when a user authenticates.

To sync groups across directories, simply define the Profile ID Template in both the LDAP/LDAPS directory as well as the desired authentication directory. While this particular section is focused on SAML and AD sync, note that any directory type can have groups mapped - simply match Profile ID Templates!

To enable LDAP Sync, it is also necessary to set the policy Turbot > IAM > Profile > LDAP Synchronization. A simple solution is to set the policy at the root Turbot level to Enforce: Active. This policy can be set at the individual profile level, allowing group syncing for some users, but not others.

However, best practice recommendation is to use the setting Enforce: Delete inactive with 30 days warning. When a user is disabled in Active Directory, the user is also disabled in Turbot. However, the 30 day grace period allows for administrators to reactivate profiles without having to re-create if issues arise, such as incomplete or incorrect user name changes.