Imply user management with SSO support is an alpha feature for Imply Cloud. See About experimental features for more information about alpha features.
Imply Cloud user management with SSO support lets you integrate Imply Cloud with external identity providers and provides a single, centralized user management interface for administering users across Imply Manager, Pivot, and Clarity.
Previously, Imply Cloud did not support external identity providers, with the exception of Pivot operating in direct access mode.
Imply user management unifies authentication and authorization for Imply Manager, Pivot, and Clarity in Imply Cloud. It integrates with OIDC- and SAML-based identity providers.
Accessing the Imply user management console
As an administrator, you can configure and manage user access to Imply in the Imply user management console. The console provides a single point of management that can span multiple Imply accounts. The console is useful when you have accounts in different AWS regions, for example, or separate accounts for staging and production environments.
To get started, log into the user management console for your realm. In a browser, go to http://id.imply.io/, and provide your organization name, as well as the username and password of an administrative account for the organization.
After logging in, you can use the user management UI to connect third-party identity providers, configure local users, and manage user access settings for Imply Cloud.
Organizations sometimes have multiple Imply Cloud accounts. For instance, they might have an account for a production environment and another for staging or development.
A realm is the top-level container in Imply user management; it can contain one or more Imply cloud accounts. In the console interface, Imply cloud accounts are called clients. There are several settings that apply at the realm level, and the settings are described below.
Within the user management console, you can see the Imply Cloud accounts in a given realm within the Clients view. This view is accessible by clicking Clients from the left menu.
Click on the name of any client to see the user roles associated with that client. The user management console includes built-in roles.
Brute force attack detection
A brute force attack happens when an attacker tries to guess a user's password. Imply can detect brute force attacks, and temporarily disable an account after a configurable number of login failures.
Brute force attack detection is disabled by default. You can enable this feature for a realm. Enabling this feature is a best practice to protect against this type of attack.
When a user is temporarily locked out and attempts to log in, the error message that appears is Invalid username or password. To avoid revealing to an attacker that the user is temporarily disabled, this is intentionally the same error message that displays for an actual invalid username or password.
Another way to prevent password guessing is to set up the server to use a one-time-password (OTP).
To enable this feature, follow these steps:
- Go to the Realm Settings in the left menu.
- Click the Security Defenses tab, then go to the Brute Force Detection sub-tab.
- Toggle Enabled to activate brute force attack detection.
- Choose permanent lockout or temporary lockout:
- Permanent lockout disables an account after an attack until an administrator reenables it.
- Temporary lockout disables an account for a period of time after an attack is detected. The time period increases the longer the attack continues.
- Configure the following settings:
- Max Login Failures: Maximum number of login failures permitted. Default value is 30.
- Wait Increment (temporary lockout): Amount of time added to the time a user is temporarily disabled after each time Max Login Failures is reached. Default is 1 minute.
- Quick Login Check Milli Seconds: Minimum time required between login attempts. Default is 1000.
- Minimum Quick Login Wait: Minimum amount of time the user will be temporarily disabled if logins attempts are quicker than Quick Login Check Milli Seconds. Default is 1 minute.
- Max Wait (temporary lockout): The maximum amount of time for which a user will be temporarily disabled. Default is 15 minutes.
- Failure Reset Time (temporary lockout): Time after which the failure count will be reset; timer runs from the last failed login. Default is 12 hours.
Managing local users
The user ID, passwords, and other attributes of local users are specific to Imply user management. Local users are users managed within Imply user management instead of an external identity provider.
You can enable self-registration for local user accounts. If enabled, a Register link appears on the login page, which users can click to set up their own accounts. Note that the created accounts are only local accounts that are not associated with any integrated third-party identity providers.
To enable self registration:
- Go to the Realm Settings in the left menu.
- In the Login subtab, toggle the User registration option.
In addition to using external identity providers, you can create local users in Imply.
To create a new user and a temporary password for that new user:
- From the left menu, click Users to open the user list page.
- Click Add User to open the Add user page.
- Enter a name in the Username field. This is the only required field.
- Choose how to set the password. You can either provide a temporary one that the user must change at the first login, or a persistent password.
Create a temporary password
- Set the Email Verified switch to On and click Save. The management page for the new user opens.
- Click the Credentials tab to set a temporary password for the new user.
- Type a new password and confirm it.
- Click Set Password to set the user password to the new one you specified.
Create a persistent password
To create a persistent password, unset the Email Verified switch.
As an administrator, you can:
- Invite users to log in using an email or manual verification flow.
- Enable/disable and initiate a password reset workflows on a per-user basis.
- Define required password complexity, rotation frequency, and the permissible number of retries on the password.
- Prohibit users from sending password resets to themselves, which can protect users from email account takeovers.
- Reset a user’s password either through a link the user can click or by sending the user a temporary password.
- Set password requirements, including length, symbols, alphanumerics, and capitalization, to ensure passwords cannot be broken with dictionary attacks.
- Require passwords to be rotated periodically according to a schedule you select to protect against leaked passwords.
- Configure the number of username/password tries before locking the account and forcing the user to reset a password, which reduces the possibility of dictionary attacks.
To configure password policies, follow these steps:
- Go to Authentication.
- Click the Password Policy tab.
- Configure the policy based on the listed options. For example, you can configure a policy with these requirements:
- Expires after 30 days
- Must have at least one upper case character and one special character
- Must not be recently used and not an email address, which you can configure as follows:
To allow users to reset forgotten passwords, go to Realm Settings, and toggle the Forgot password switch in the Login subtab.
Enabling multi-factor authentication
Multi-factor authentication (MFA) can significantly enhance user access security. Imply user management works with Google Authenticator and FreeOTP authenticator applications.
To enable MFA, follow these steps:
Click Authentication in the left navigation menu.
Open the OTP Policy subtab.
Choose counter-based tokens or time-limited tokens.
Configure other settings based on your requirements, including the OTP hash algorithm, length of the token, and the look-ahead window, which allows for leniency in case of a synchronization discrepancy between the token generator and server.
Click Save to apply the configuration.
Imply user management comes preconfigured with roles that correspond to existing permissions in Imply, such as manage users, access datasets, and create data cubes. For a list of those permissions in Imply, see User management.
You can build custom roles that you grant permissions to by combining built-in roles. In the Imply user management console, these are called composite roles.
To view built-in roles, follow these steps:
- Click Clients from the left menu.
- Click on the name of the client for which you want to view roles, and then click the Roles subtab. The list of roles appears. Click a role to view permissions associated with the role.
To add a role:
- Click Add Role.
- Provide a name for the role and, optionally, a description and click Save.
- In the role configuration page, enable the Composite Roles toggle to assign permissions to the role.
- Choose one or more of the built in roles to assemble permissions for the role. For a description of the permissions, see User management.
Integrating external identity providers
Local users are internal to Imply user management. As an alternative to defining local users, you can integrate Imply with an external identity provider. The provider can supply make authentication decisions and provide authorization parameters to Imply.
Imply works with SAML and OIDC based identity providers.
The following section explains how to connect Imply user management to an OIDC provider.
Integrating an OIDC identity provider
To configure an OIDC identity provider, follow these steps:
Click Identity Providers from the left menu.
Open the Add provider menu, and choose Open ID Connect V1.0.
If you are importing a configuration, scroll to the bottom of the page and import the external IDP metadata description by URL or as a file upload. To configure manually, continue.
Set the redirect URI to the URI where responses to your authentication requests are sent.
Configure other optional general OIDC settings as needed.
For the OpenID Connect configuration settings, configure at least these settings for the identity provider:
- Authorization URL: The authorization URL at which the identity provider is reached.
- Token URL: The OpenID Connect token endpoint URL.
- Client Authentication: Configure how to connect to the identity provider, including the client ID and client secret.
See tool tip help for additional description of the configuration settings.
The configuration should appear as follows:
Configure user role mappings
After adding a identity provider configuration, you can map user attributes derived from the identity provider to roles in Imply.
You must first configure an identity provider before configuring mappers. Before configuring mappers, you must also set up user roles, since you'll be mapping to those roles.
To add a mapper, follow these steps:
- Click the Mappers subtab in the Identity Provider settings page and then click Create.
- In the mapper configuration, enter a name for the mapper.
- For the Sync Mode Override, choose from these options:
- Choose import to import data only from when the user was first created at first login.
- Choose force to update user data at each user login.
- Choose inherit to use the sync mode configured in the identity provider, all other options will override this sync mode.
- For Mapper Type, choose the type of user identity attribute that you want to use for the mapping. This type varies by identity provider type. For instance, in OIDC, Claim to Role is an option typically used for this value. See the tool tip help for additional descriptions of the configuration parameters.
- Click Save.
Managing users with groups
Groups allow you to manage attributes and role mappings for a set of users.
Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group. To manage groups, go to the Groups left menu item.
Groups are hierarchical. A group can have many subgroups, but a group can only have one parent. Subgroups inherit the attributes and role mappings from the parent. This applies to the user as well. So, if you have a parent group and a child group and a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child. In this example, we have a top level Sales group and a child North America subgroup.
To add a group, follow these steps:
- Click on the parent you want to add a new child to and click New.
- Select the Groups icon to make a top-level group.
- Enter a group name in the Create Group screen and click Save. The individual group management page appears.
The Attributes and Role Mappings tab work exactly as the tabs with similar names under a user. Any attributes and role mappings you define will be inherited by the groups and users that are members of this group.
To add a user to a group you need to go all the way back to the user detail page and click on the Groups tab there.
Select a group from the Available Groups tree and hit the join button to add the user to a group. Vice versa to remove a group.
The Sessions page lets you end active user sessions manually. You can do this for security reasons. The Sessions page lets you end all user sessions at once. Alternatively, you can end a session for individual users from the user's profile page.