Identity Provider
Access Analyzer supports federation with your organization's identity system so that users can sign in with their existing corporate credentials. Your identity provider handles authentication; you manage roles and permissions within Access Analyzer.
Setting up an identity provider connection is a two-part process: first you configure the integration in your identity system, then you prepare user accounts inside Access Analyzer.
Before continuing, confirm that the infrastructure and network requirements for your IdP type are in place. See Network and Port Requirements and TLS Certificate Requirements.
Supported integration types
| Type | Description |
|---|---|
| LDAP / Active Directory | Access Analyzer connects directly to your LDAP directory or Active Directory. Users enter their directory credentials on the Access Analyzer login page — no redirect occurs. |
Part 1: Configure your identity provider
For a complete Active Directory walkthrough that pairs this user-configuration guide with the installer-side steps, see the Quick Install.
LDAP / Active Directory
No application registration or callback URL is required for LDAP. Prepare the following before connecting.
Service account:
Create a dedicated, read-only service account in your directory with read access to the user base DN. For Active Directory, the account needs Read permission on the user OU. The account doesn't need write access or special group membership.
Network access:
The Access Analyzer cluster must be able to reach your LDAP server on the configured port (389 for LDAP, 636 for LDAPS). Confirm that this traffic is permitted from the Access Analyzer cluster's egress IP range.
Plain LDAP (ldap://) transmits credentials in cleartext. Use ldaps:// (port 636) for production deployments.
Collect the following values:
| Value | Description |
|---|---|
| LDAP server URL | Including protocol and port — for example, ldaps://corp.example.com:636 |
| Service account DN | The distinguished name of the read-only service account |
| Service account password | — |
| Users base DN | The path where user accounts are stored — for example, ou=users,dc=example,dc=com |
| Email attribute name | The LDAP attribute that holds the user's email address (usually mail) |
| Directory type | Active Directory or generic LDAP |
Part 2: Prepare Access Analyzer
First sign-in
The installer provisions the first administrator account automatically during setup — the person whose email you entered at the First Admin Email prompt can sign in immediately using their Active Directory password.
Navigate to https://<your-hostname> and sign in with the first admin's AD credentials. From here, add additional users under Configuration > Users.
Breakglass account
The installer also creates a bootstrap account, admin@dspm.local, as a recovery mechanism. If the first admin account becomes inaccessible, retrieve the bootstrap password to regain access:
sudo kubectl get secret -n access-analyzer dspm-bootstrap-admin \
-o jsonpath='{.data.password}' | base64 -d; echo
Don't change the bootstrap account email address — doing so causes authentication failures.
Pre-provision user accounts
Before a user can sign in through the identity provider, their account must exist in Access Analyzer. The application authenticates them against your IdP successfully but denies access if no matching account exists.
The email address entered during pre-provisioning must exactly match the address sent by the IdP or stored in the LDAP mail attribute, including case. A mismatch causes sign-in to fail.
- Navigate to Configuration > Users.
- Click Add User.
- Enter the user's Name and Email address.
- Select a Role: Administrator, User Admin, or Viewer (see Roles).
- Click Create User.
No password is required for pre-provisioned accounts. For details on managing users, see Users.
Roles
Access Analyzer has three roles. The installer seeds the bootstrap admin@dspm.local account as User Admin, so it can pre-provision the rest of your users, including your first Administrator.
| Role | Description |
|---|---|
| Administrator | Full access: system configuration (sources, scans, connectors, application settings) and user management (create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users). |
| User Admin | User and role management rights only: create, edit, activate, deactivate, and delete users; assign roles; pre-provision federated users. Does not have system configuration rights. Access Analyzer assigns this role to the bootstrap admin@dspm.local account. |
| Viewer | Read-only access to data and reports. No configuration or user management rights. |
How sign-in works after IdP is configured
When identity provider integration is active, the Access Analyzer login page presents a credential form that validates against your directory.
On first sign-in, Access Analyzer matches the email address from the IdP token or LDAP directory to the pre-provisioned account and permanently links the IdP identity to that account. On all subsequent sign-ins, Access Analyzer uses the user's unique IdP identifier directly.
Sessions are valid for up to 8 hours from sign-in and expire after 4 hours of inactivity.
Constraints
| Item | Detail |
|---|---|
| Pre-provisioning required | Users must have an account in Access Analyzer before their first sign-in. |
| Email must match exactly | The email entered during pre-provisioning must match what the IdP or LDAP directory sends, including case. |
| Roles managed in Access Analyzer | You set roles and permissions in Access Analyzer, not in your IdP or directory. |
| Local accounts coexist | The administrator account created at deployment remains a local account and continues to sign in with a password. |
| Password reset unavailable for federated accounts | The Reset Password action in the Users page is available for local accounts only. Federated users manage their credentials through your IdP. |
| Name and email locked after first sign-in | Once a user has signed in at least once, their name and email come from the IdP token; you can't change them in the Access Analyzer UI. Update them in your IdP instead. |