Q: Can we use our federated SSO to log users into your system without requiring them to set or store a password?
​​

A: Yes, we support IDP-initiated SAML.

Q: Is it correct to assume that full name and email would still need to be stored with each account?

A: Yes, we provision a “user” on our end with information from the customer’s identity provider (name and email) so that we can apply our permissions model.

Q: Can accounts be provisioned automatically (e.g., via SSO login) with a predefined base level of access (e.g., read-only access)?

A: Yes, we support the auto-provisioning of new users with a “standard” access level. This feature can also be disabled if needed. Typically, customers configure a security group on their end to allow-list the users they want to grant ObservePoint access, ensuring it’s appropriate to automatically assign them the standard access level.

Q: If we have an automated system for data subject access/delete requests, or if an employee account is removed on our end, are there automated ways to remove the account on your end?

A: Yes, we have an API that can be called with the API key of an admin user.

Q: Does ObservePoint prevent users from logging in via username and password when my account uses SSO?

A: Yes, ObservePoint prevents all SSO users from logging in directly. If a user which belongs to an account with SSO enabled attempts to log in via direct username and password, ObservePoint redirects them to the account's SSO system.