Managing Turbot Profile Expirations for SAML Directories

The Turbot identity model supports LDAP and SAML directories for determining if users are authorized and any group memberships they may have.   Provisioning SAML users into Turbot is pretty straightforward, however deactivating SAML users is a little more complicated. This article will cover approaches that organizations can take to deprovision SAML users. 

A primary limitation of SAML is that user information, user activation status,  and group memberships information is only passed to Turbot when a user attempts to log in.  As a result, for SAML directories in Turbot, there is no direct way for Turbot to know when a user's profile has expired or been deactivated. (Conversely, Turbot can periodically poll LDAP directories for up-to-date user status and group memberships.)

The first approach to deactivating these profiles is to set fairly short expiration periods.  Each organization should set values for these policies that meet their needs.

Turbot > Directory > Profile Active
Turbot > Directory > Profile Expiration
Turbot > Directory > Profile Access Key Expiration Days
Turbot > Directory > Profile Access Key Expiration
Turbot > Directory > Profile Active Status

If waiting for a profile to expire does not meet organization's credentials control requirements, then the profile(s) can be deactivated manually using the Turbot console.  It is also possible to call the Turbot Profile Update API* to deactivate the profile directly.  The request payload should be well-formed JSON setting the status to 'Inactive',  as shown below.

{"status":"Inactive"}

Note that Turbot profiles cannot be deleted, only deactivated.

* -  This guide was written against the version 3 API.  

Was this article helpful?
0 out of 0 found this helpful