How To Onboard Future Teams
Congratulations, you finished onboarding your first team 🙂
Here are our recommendations for the next steps:
- Set up a break-glass user in case of an IDP issue
- Best practice on revoking legacy credentials to access systems now managed via StrongDM
- Choose the next team and repeat the onboarding steps:
- If the new team has new environments, deploy the gateways/relays.
- Deploy all the resources the new team uses to StrongDM.
- Add all the users to StrongDM.
- Revoke the legacy credentials to access systems now managed via StrongDM.
- Continue the process with all your company's teams, one team at a time.
How to Set Up a Break-Glass User in Case of IdP Issues
We recommend customers set up a break-glass user while enabling SCIM Provisioning. The scenario guards against the following:
- A customer enables SCIM provisioning and has all admin users now managed by their IdP
- The customer has an issue with their IdP or makes a mistake, resulting in the admin users having their groups revoked in the IdP, and as such, they are suspended in StrongDM.
- When they re-add the user(s) to the correct groups in their IdP, the user(s) will be reinstated, but only with user privileges. There is a chance there will be no admins on the account to manually elevate the privileges of those users back to Admin, so they have no admins and will have to contact StrongDM support to reinstate them.
- Having a break-glass admin user tied to SSO but allowing password login means that in the event of the above, they can "break-glass" to get the password, log in, and reinstate admin privileges as required.
When setting up a break-glass account for this scenario, the process is to:
- Go to user provisioning settings and ensure “Allow password login for admins" is selected.
- Create a new SSO user (such as sam.jones+breakglass@StrongDM.com). It cannot be a non-SSO user, as non-SSO users can only ever have user-level permissions.
- For the new user, go to settings and give them admin permissions, then select “send password reset email”. That will give the user the ability to set their own password.
If you don’t do this step, they’ll always be redirected to IdP login rather than password login - therefore, not a working break-glass account in case of IdP issues. - A break-glass account with a password login can only be used to log in to the admin UI - they cannot connect to the client with it (as they will always be redirected to their IdP login) and so can never use it to connect to resources. [This is useful context for audit reasons]
When activating a break-glass scenario, the process is to:
- The break-glass admin accesses SDM and disables the SSO.
- In the case of SSO removal, the users remain active. The break-glass admin will need to send a password reset.
- In the case of SCIM removal, the users become disabled. The break-glass admin will need to re-enable the users and send a password reset.
Best practice on revoking legacy credentials to access systems now managed via StrongDM
To help migrate staff access to StrongDM, we've developed best practices based on hundreds of deployments. The steps we recommend are:
- Choose the first team to migrate & identify that team's manager
- Validate that all necessary resources have been provisioned and added to StrongDM
- Ask that team's manager to send an email to staff emphasizing the move to StrongDM and setting expectations that direct access will be shut off in two weeks.
- Two days before the cut-off date, send a reminder to the team members
- On the cut-off day, revoke that team's direct access