Active Directory / SSO / User Provisioning and Deprovisioning

Casey_Dorman {Domo}
Casey_Dorman {Domo} Contributor
edited August 2023 in Governance & Security Ideas

Hello Domo Product Team!

One of our top ELA accounts has been struggling with the following for some time. We are hoping to gain enough attention (and enough upvotes) to have this considered for inclusion in the Domo platform.

The general request is for automating user provisioning and deprovisioning via Active Directory sync with SSO. There is an old post in this Community Forum from 2019 that articulates what is being sought (however, we are unsure if this is still active and able to be upvoted - in addition it references Azure, whereas we are on AWS):

Essentially, allowing an active directory sync of some kind would appear to solve these recurring issues:

Bypass Required Login at User Creation

: Having new users login before their new Domo user account is active/ready can be a source of confusion and frustration, especially when it comes to high level execs who we are trying to share reports with. We can create their user account, but the requirement to have them login before they can view Domo content is a major impediment to their seamless adoption. 

We are recommending a toggle to allow Admins to turn on/off the requirement for newly created users to have to login before they can be shared Domo content. We need to be able to establish users without requiring a direct login. 

Automated Session Kill for Disabled/Deleted Users

: We currently take advantage of the Domo functionality for Domo session timeouts after a set period (in our case, 24 hrs), essentially requiring all users to login and reauthenticate each day for security purposes. Without increasing the timeout frequency (which would make all users' lives very difficult), we need a way to also auto-kill Domo sessions if a user has been terminated and their User license disabled/removed. It poses a great security threat when users who are no longer employed still have access to sensitive company data before the next 24hr timeout occurs. Please strongly consider adding functionality to allow this auto-session end for disabled and/or deleted users. 

We are currently investigating automation via Governance Toolkit, and possibly even Workflows, but again, we wanted to make sure this issue is successfully reported to the Domo Product team for acknowledgement and consideration for a more seamless experience.

Thank you!

Casey

Tagged:
12
12 votes

Active · Last Updated