Get started with Imply Hybrid Auth
To enable Imply Hybrid Auth (formerly Imply Cloud Auth) for your organization, contact your Imply account representative. After you onboard to Imply Hybrid Auth, make sure to migrate over any users, user credentials, and custom roles you have created.
Imply Hybrid Auth is the user authentication and authorization service for Imply Hybrid. It offers a single, centralized user management interface for administering access to Imply Manager, Pivot, and SaaS Clarity, across all of your Imply Hybrid environments.
With Imply Hybrid Auth enabled, you can define password policies, configure multi-factor authentication, and use OAuth 2.0 for API authentication. For additional account security, you can use Imply Hybrid Auth to configure single sign-on (SSO) and provision users with external identity providers.
Key concepts
Before you start using Imply Hybrid Auth, familiarize yourself with the following key concepts:
Organization: An organization is a top-level entity that maps to an Imply customer. It is where you manage and authenticate users, set credentials, and define roles and groups. All organizations are isolated from one another and can only manage and authenticate the users that they control. Your organization is created for you when you first sign up for Imply Hybrid.
Environment: An environment represents a complete Imply deployment to an individual AWS VPC. An organization can have multiple environments. This is useful when you need to maintain separate environments; for example, for production and staging, or to support AWS infrastructure in multiple regions.
Groups: Groups let you assign and manage roles for a set of users collectively, instead of mapping roles to users individually. When you add a member to a group, that member inherits all attributes and role mappings that the group defines.
Role: A role is a permission to perform certain actions in Imply Hybrid. For example, the
administer-data-cubes
role lets you view and manage all data cubes and themonitor-queries
role makes it possible to monitor Pivot's database queries. Roles associate permissions to users or groups within the context of an environment, giving you the flexibility to control user permissions for each deployment. For example, you can give a user admin permissions for a staging environment without granting them admin access to a production environment.The following figure depicts the sample scenario:
Mappers: Mappers associate external identity provider tokens and assertions with Imply user attributes such as roles. You can propagate identity information from external groups to respective internal roles in your Imply Hybrid environment.
Session: A session is created when a user logs into an Imply Hybrid environment. A session contains information such as active users, their IP addresses, and when they last logged in. Both admins and users can view session information.
User management console
The User management console is a web interface for setting up, monitoring, and managing user access settings across an organization in Imply Hybrid. It is where you configure authentication policies, create user groups, and integrate with third-party identity providers.
You can access the console from Imply Manager by clicking the profile menu icon in the top-right corner of the page. Select User management from the list of options.
Imply Hybrid Auth enables you to perform the following tasks from the User management console:
- Configure local users
- Configure multi-factor authentication
- Configure defenses against brute force attacks
- Integrate with external identity providers
- Enforce password policies
- Terminate user sessions
- Set up client API authentication tokens
Many of the configuration settings apply at the organization level, but you can configure user-level settings as well. For any user, you can configure role mappings and groups, manage sessions and multi-factor authentication (via OTP), and request specific actions such as updating a user profile:
Access personal settings
To access your personal settings from the User management console, click the profile icon or your username at the top of the page and select Manage account. Personal settings include personal information, account security, and applications. Applications refer to the different Imply Hybrid environments you have access to.
Authentication capabilities
It is important to understand how Imply Hybrid Auth relates to other user management mechanisms in the Imply technology stack. When running on-premises or in detached Pivot mode, you can provision users for Pivot separately, as described in Access control for Pivot. Similarly, the Druid engine has its own authorization and authentication mechanism, as described in Druid administration topics. Imply Hybrid Auth encompasses both of these methods so that you can control access to Pivot, Druid, and Imply Manager from a single location.
Access SaaS Clarity
With Imply Hybrid Auth enabled, SaaS Clarity negotiates the authentication process using your Imply Hybrid login information. This means that you can access SaaS Clarity from the Imply Manager console without needing to enter another set of credentials. Imply Hybrid Auth validates your session and automatically logs you into an instance of SaaS Clarity. If your session is expired or invalid, you are prompted to authenticate before you can proceed.