Help Center
Go back to application
Help Center
Go back to application
Platform Terms Glossary
Task Management
Task Management explained Creating Tasks Setting up Task NotificationsGiving permissions to team members
Organization
Working together in KertosInviting UsersCreating rolesAssigning Data Source AccessCreating Departments and Assigning Users
Integrations
Discovery
Discovery explainedScanning your websiteScanning your SSO Scanning your cloud
Tasks
Device Management
Human Resource Information Systems
Inventory
Inventorization of vendorsInventorization of systemsInventorization of assetsEU AI Act: Inventorization of AI use cases
Risks
Managing risksApplying controls to risks
Trust Center
Setting up your trust center
Incidents
Reporting incidents
KAI
KAI explainedPrinciples of AI at KertosInteracting with KAI
Compliance
Frameworks explainedManaging & implementing controlsCreating & managing policiesCompleting & assigning trainings
Privacy Management
Creating a RoPACreating TOMsCreating DPIAs
Data Subject Requests
API Reference
Ingress API Docs for DSRs Webhook API Docs for DSRs

Scanning your SSO

You can connect Kertos with your identity provider to uncover multiple data types, including users. Don’t worry, we do not store any of your personal data.

 

What happens with my SSO data?

The account used for login when executing the SSO scan must have admin rights, otherwise Kertos cannot access the necessary information. This is true for all email providers.

Microsoft / Google

 

 

1. Go to "Integrations".

2. Select the scan for your organization’s email provider and click “Run”.

3. In this case, the email provider is Microsoft. Click “Sign in with Microsoft”.

4. A pop-up will open that guides you through your email provider’s log-in process. If you encounter log-in difficulties, refer to your email provider’s documentation.

5. After finishing the process, the pop-up will close and the scan will run automatically.

 

What do you give Kertos access to if you make use of the SSO Discovery?

In order to identify the information we need for discovering your data relevant to compliance, we require the following permissions from you, depending on the provider you us

 

Microsoft

For identifying which users are active:
user.read
user.read.all
For identifying which users access which data sources:
appRoleAssignment.ReadWrite.All
More Information on the required permissions can be found here: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
If rather than using an administrator account you want to create a (read only) service account to sign up with, a guide on how to configure a service account can be found here:
https://support.google.com/a/answer/7378726?hl=en

 

Google

For identifying which users are active:
userinfo.profile
admin.directory.user
userinfo.email
openid
For identifying which users access which data sources:
admin.directory.user.security
More Information on the required permissions can be found here:
https://developers.google.com/identity/protocols/oauth2/scopes

 

Okta

 

okta-api-service-integrations-add-743e317eeba75afbc0a9d443b7931823

 

1. In Okta, go to your admin interface.

2. Select “Applications” in the navigation bar.

3. Go to “API Service Integrations” and select "Add Integration".

4. Choose Kertos from the list of available integrations and confirm adding it to your Okta account.

5. You can now head back to Kertos and continue the setup there.

 

 

6. Click “Edit Okta Configuration”

7. Enter the relevant info:

 

  • Okta Server URL: The domain of your Okta account, e.g. https://example.okta.com. You can just go to your Okta dashboard and copy & paste the URL from your browser, Kertos will take care of extracting the relevant parts.
  • Okta Client ID: The client id generated in the Okta interface. You can find this by going to the "Applications" tab in Okta, choosing "API Service Integrations" and then selecting the "Kertos" application, and then clicking on the "General" tab. The client id is listed under "Client Credentials".
  • Okta Client Secret: The client secret generated in the Okta interface. In the Kertos API service integration in Okta, generate a client secret (it will only be shown once, so make sure to copy it) and paste it into the form in Kertos. We will also not show it on subsequent visits to protect this secret.

 

8. Click “Start discovery”


 

Was this article helpful?

Powered by Product Fruits