Identity Provider
Access Analyzer supports federation with your organization's identity system so that users can sign in with their existing corporate credentials. Authentication is handled by your identity provider; roles and permissions are managed within Access Analyzer.
Setting up an identity provider connection is a two-part process: first you configure the integration in your identity system, then you prepare user accounts inside Access Analyzer.
Before completing the steps below, confirm that the infrastructure and network requirements for your IdP type are in place. See Configure Identity Provider in the Installation section.
Supported integration types
| Type | Description |
|---|---|
| LDAP / Active Directory | Access Analyzer connects directly to your LDAP directory or Active Directory. Users enter their directory credentials on the Access Analyzer login page — no redirect occurs. |
Part 1: Configure your identity provider
For a complete Active Directory walkthrough that pairs this user-configuration guide with the installer-side steps, see the Quick Install.
LDAP / Active Directory
No application registration or callback URL is required for LDAP. Prepare the following before connecting.
Service account:
Create a dedicated, read-only service account in your directory with read access to the user base DN. For Active Directory, the account needs Read permission on the user OU. No write access or special group membership is required.
Network access:
The Access Analyzer cluster must be able to reach your LDAP server on the configured port (389 for LDAP, 636 for LDAPS). Confirm that this traffic is permitted from the Access Analyzer cluster's egress IP range.
Plain LDAP (ldap://) transmits credentials in cleartext. Use ldaps:// (port 636) for production deployments.
Collect the following values:
| Value | Description |
|---|---|
| LDAP server URL | Including protocol and port — for example, ldaps://corp.example.com:636 |
| Service account DN | The distinguished name of the read-only service account |
| Service account password | — |
| Users base DN | The path where user accounts are stored — for example, ou=users,dc=example,dc=com |
| Email attribute name | The LDAP attribute that holds the user's email address (usually mail) |
| Directory type | Active Directory or generic LDAP |
Part 2: Prepare Access Analyzer
Sign in as the bootstrap User Admin
The installer seeds a bootstrap account, admin@dspm.local, with the User Admin role. This account can create and manage other users but cannot access system configuration. Use it on first login to pre-provision your users, then sign out and sign back in as an Administrator for system-level work.
-
Retrieve the bootstrap admin password from the Kubernetes secret:
sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \-o jsonpath='{.data.password}' | base64 -d; echo -
Open a browser and navigate to
https://<your-hostname>. -
Sign in with:
- Username:
admin@dspm.local - Password: (from step 1)
- Username:
-
Complete first-login setup:
- Scan the QR code with an authenticator app, enter a device name, submit the one-time code. Save this enrollment — you will need the same authenticator for any future bootstrap admin login.
- Enter a first name and last name. Do not change the email address.
Proceed to Pre-provision user accounts below.
Pre-provision user accounts
Before a user can sign in through the identity provider, their account must exist in Access Analyzer. The application authenticates them against your IdP successfully but denies access if no matching account has been created.
The email address entered during pre-provisioning must exactly match the address sent by the IdP or stored in the LDAP mail attribute, including case. A mismatch causes sign-in to fail.
- Navigate to Configuration > Users.
- Click Add User.
- Enter the user's Name and Email address.
- Select a Role: Administrator, User Admin, or Viewer (see Roles below).
- Click Create User.
Assign at least one user the Administrator role — the bootstrap admin@dspm.local account is a User Admin only and cannot access system configuration. Assign at least one additional user the User Admin role if you want a non-bootstrap user to manage accounts going forward.
No password is required for pre-provisioned accounts. For details on managing users, see Users.
Roles
Access Analyzer has three roles. The bootstrap admin@dspm.local account is seeded as User Admin, so it can pre-provision the rest of your users, including your first Administrator.
| Role | Description |
|---|---|
| Administrator | Full access: system configuration (sources, scans, connectors, application settings) and user management (create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users). |
| User Admin | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does not have system configuration rights. The bootstrap admin@dspm.local account is assigned this role. |
| Viewer | Read-only access to data and reports. No configuration or user management rights. |
How sign-in works after IdP is configured
When identity provider integration is active, the Access Analyzer login page presents a credential form that validates against your directory.
On first sign-in, Access Analyzer matches the email address from the IdP token or LDAP directory to the pre-provisioned account and permanently links the IdP identity to that account. On all subsequent sign-ins, the user's unique IdP identifier is used directly.
Sessions are valid for up to 8 hours from sign-in and expire after 4 hours of inactivity.
Constraints
| Item | Detail |
|---|---|
| Pre-provisioning required | Users must have an account in Access Analyzer before their first sign-in. |
| Email must match exactly | The email entered during pre-provisioning must match what the IdP or LDAP directory sends, including case. |
| Roles managed in Access Analyzer | Roles and permissions are set in Access Analyzer, not in your IdP or directory. |
| Local accounts coexist | The administrator account created at deployment remains a local account and continues to sign in with a password. |
| Password reset unavailable for federated accounts | The Reset Password action in the Users page is available for local accounts only. Federated users manage their credentials through your IdP. |
| Name and email locked after first sign-in | Once a user has signed in at least once, their name and email are set from the IdP token and can't be changed in the Access Analyzer UI. Update them in your IdP instead. |