Active Directory / SSO / User Provisioning and Deprovisioning

Casey_Dorman {Domo}

Hello Domo Product Team!

One of our top ELA accounts has been struggling with the following for some time. We are hoping to gain enough attention (and enough upvotes) to have this considered for inclusion in the Domo platform.

The general request is for automating user provisioning and deprovisioning via Active Directory sync with SSO. There is an old post in this Community Forum from 2019 that articulates what is being sought (however, we are unsure if this is still active and able to be upvoted - in addition it references Azure, whereas we are on AWS):

Automate User Provisioning and Deprovisioning to SaaS Apps

Figauro

Jun 21, 2019

I'd like to be able to easily keep up with users from our active directory with auto provisioning and deprovisioning. Currently, when an employee is hired, I'll have to add them as a user to the Domo app in azure manually, then wait for the user to sign into Domo to assign them to a group. When an employee is terminated, their log in is blocked in azure and they can't access Domo anymore, but I then have to manually remove that user from Domo vs azure syncing with Domo and removing the user for me.

 

Here is a link to what other companies have recently started implementing: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/user-provisioning.

 

---

View Post

Essentially, allowing an active directory sync of some kind would appear to solve these recurring issues:

Bypass Required Login at User Creation

: Having new users login before their new Domo user account is active/ready can be a source of confusion and frustration, especially when it comes to high level execs who we are trying to share reports with. We can create their user account, but the requirement to have them login before they can view Domo content is a major impediment to their seamless adoption. 

We are recommending a toggle to allow Admins to turn on/off the requirement for newly created users to have to login before they can be shared Domo content. We need to be able to establish users without requiring a direct login. 

Automated Session Kill for Disabled/Deleted Users

: We currently take advantage of the Domo functionality for Domo session timeouts after a set period (in our case, 24 hrs), essentially requiring all users to login and reauthenticate each day for security purposes. Without increasing the timeout frequency (which would make all users' lives very difficult), we need a way to also auto-kill Domo sessions if a user has been terminated and their User license disabled/removed. It poses a great security threat when users who are no longer employed still have access to sensitive company data before the next 24hr timeout occurs. Please strongly consider adding functionality to allow this auto-session end for disabled and/or deleted users. 

We are currently investigating automation via Governance Toolkit, and possibly even Workflows, but again, we wanted to make sure this issue is successfully reported to the Domo Product team for acknowledgement and consideration for a more seamless experience.

Thank you!

Casey