Skip to main content

BlastShield Documentation

Identity providers

Introduction

BlastShield™ is SCIM 2.0 enabled and supports integration with identity providers such as Okta, Azure AD and One Identity.  SCIM support allows user accounts to be automatically created in BlastShield™ when new user accounts are assigned to the SCIM application in the IdP.   User account status and their information are automatically updated in BlastShield™ based on updates in the IdP.   BlastShield supports OpenID Connect to authenticate the SSO of the IdP for the user registration with the Orchestrator.  Once registered, users will authenticate via MFA with the BlastShield™ Mobile Authenticator app and the BlastShield™ Desktop Client.

idp-regular-connected-users.png

Simplify the control of user identity and facilitate bulk onboarding and management of users

BlastShield's identity provider integration provides you with a single source of user identity which is derived directly from the user directory of the identity provider. There is no user maintenance required on the BlastShield™ side, since all user changes are made in the identity provider itself, except for the occasional authentication reset if a user changes their mobile device.

Integration with an identity provider allows bulk onboarding of users from the identity provider without manual provisioning of new users in the Orchestrator, which greatly reduces the effort involved in onboarding new users. User groups created in the identity provider are simply synchronised with BlastShield™ and provisioned directly into the BlastShield™ Orchestrator using the SCIM interface.

User registration process

Once BlastShield is integrated with an identity provider (IdP), the BlastShield™ user registration process is managed through the IdP itself. This is described below.

Support_for_external_identity_managers_flow_v1.png

  1. The user account is created in the IdP.

  2. The IdP updates the BlastShield™ Orchestrator with the user and group information via the SCIM API.

  3. The new user logs into the BlastShield™ web portal with the IdP SSO credentials.

  4. The new user scans the displayed QR code and registers with the Orchestrator.

IdP-user-registration.png

Tip

Once the user has registered then that user will be able to log into BlastShield™ using only the BlastShield™ MFA. It would only required to login to the BlastShield™ web portal if the user needs to reset their registration in the case of a lost or changed mobile device.

The following section contains information on integrating BlastShield™ with an Identity provider.

In this section: