Good Day All,
I implemented SSO in IDR and I am wondering if there is a way to make SSO the only way to sign into the platform, without having to use the method of email/password + MFA.
Good Day All,
There is a bit about this in our documentation, you can find it here: https://docs.rapid7.com/insight/single-sign-on#users-local-to-the-insight-platform
In short, before setting up SSO, it’s recommended you clear out their “local” accounts so that SSO login can be enforced. It’s OK if you have already set it up, you can still remove the local users via User Management. Once they log in via your IDP, new accounts will be provisioned for them, to which they can only access via SSO.
We do recommend keeping at least one “local” platform administrator account in case there are issues with your IDP, you can still log in directly to this account to make any necessary changes.
Thanks for the response, so I would remove them and edit the default access profile to be created when they use the IDP ?
Correct, the default access profile is a template for product assignment and permission. Typically this would be set at the lowest level (read only) and with the most-used product (let’s say IDR). Then if someone requires higher permissions or access to a different product, an administrator can go to user management and update this accordingly.
Okay, Awesome thanks much Tony!