IAM AD SSO least privileges to success

Roy Lam Lv1Posted 2022-Apr-12 18:01

I am checking the User Manual for IAM of the Domain SSO. In the document, it said we have to provide a Domain Admin Account to "obtain login information from the AD server and report the received information to the IAG for implementing SSO".

I am thinking that there should NOT be using Domain Admin privilege (the highest privilege) to perform such an operation. So what is the least privileges to work with the objective, Event Log Readers?

Please help.

Liew has solved this question and earned 10 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Good day! As long as the user have permission, you may use that user.
You need to grant user with enable remote permission, then in advanced you need to allow for the user to access namespace and subnamespaces. Lastly, assign user to Event Log Readers and Performance Log user in user account active directory.
Is this answer helpful?
Faisal Posted 2022-Apr-18 22:23
  
"Privileged" accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.
Farina Ahmed Lv5Posted 2022-Apr-20 13:53
  
You can create a simple user other than administrator and give him that privileges.
Roy Lam Lv1Posted 2022-Apr-21 17:39
  
So what is the least privilege level? Must be Domain Administrator? Or could I use less powerful permission such as Network Operator?
Liew Lv2Posted 2022-Apr-25 14:48
  
Good day! As long as the user have permission, you may use that user.
You need to grant user with enable remote permission, then in advanced you need to allow for the user to access namespace and subnamespaces. Lastly, assign user to Event Log Readers and Performance Log user in user account active directory.
tanveer Lv2Posted 2022-Jun-20 02:16
  
There are many consequences to provide least privileged to grant it. This is highly recommended from sangfor to use domain administrator or equivalent administrator to use sso.

I Can Help:

Change

Moderator on This Board

1
3
5

Started Topics

Followers

Follow

Board Leaders