Q: Can we use federated SSO to log users into ObservePoint without requiring them to set or store a password?
A: Yes, ObservePoint supports IdP-initiated SAML.
Q: Is it correct to assume that full name and email would still need to be stored with each account?
A: Yes, ObservePoint provisions a “user” record with name and email from your identity provider.
Q: Can accounts be provisioned automatically (e.g., via SSO login) with a predefined base level of access (e.g., read-only access)?
A: Yes, ObservePoint supports the auto-provisioning of new users with a “standard” access level. Account admins can disable this feature if needed. Typically, customers configure a security group in the IdP to allow-list the users they want to grant access to ObservePoint, ensuring it’s appropriate to automatically assign them the standard access level.
Q: If we have an automated system for data subject access/delete requests, or if an employee account is removed from our corporate directory, are there automated ways to remove the user record from ObservePoint?
A: Yes, ObservePoint has an API that can be called with the API key of an admin user to delete user records.
Q: Does ObservePoint prevent users from logging in via username and password when my account uses SSO?
A: Yes, ObservePoint prevents all SSO users from logging in directly. If a user which belongs to an account with SSO enabled attempts to log in via direct username and password, ObservePoint redirects them to the account's SSO system.
Q: Can I link multiple ObservePoint accounts to the same IdP application?
A: No. The SAML protocol prevents linking multiple ObservePoint accounts to a single IdP application. To link multiple ObservePoint accounts to the same company's IdP, you will need to create multiple "applications" in your IdP for each ObservePoint account.