How Single Sign-On (SSO) Interacts with Roles in Edgescan?
This article explains how Single Sign-On (SSO) works with Edgescan’s Role-Based Access Control (RBAC) system, including what is managed by your Identity Provider (IdP) and what must be configured in Edgescan.
Version Number: v1.0.0
Published Date: 09 Dec 2025
____________________________________________________________________________
SSO Overview
SSO allows users to authenticate through an external Identity Provider (IdP) such as Azure AD, Okta, or Ping Identity. This centralizes authentication and improves security by:
-
Enforcing corporate password policies.
-
Supporting MFA (Multi-Factor Authentication).
-
Simplifying user onboarding and offboarding.
Roles and SSO
Roles in Edgescan are not automatically assigned by your IdP. Even when SSO is enabled:
-
Authentication is handled by the IdP.
-
Authorization (Roles) is managed within Edgescan.
This means:
-
After a user signs in via SSO, their access level depends on the roles assigned in Edgescan.
-
IdP groups or claims do not map directly to Edgescan roles (currently).
Assigning Roles for SSO Users
-
Ensure the user account exists in Edgescan (SSO will create it on first login if auto-provisioning is enabled).
-
Navigate to User Management in Edgescan.
-
Locate the SSO user and click Edit.
-
Assign one or more roles:
-
Refer to Role Capabilities & Permissions Matrix.
-
-
Save changes.
Best Practices
-
Pre-assign roles for known users before their first login.
-
Use least privilege principles when granting roles.
-
Regularly audit SSO users to ensure correct role assignments.
Limitations
-
Role assignment cannot currently be automated via IdP claims.
-
Direct Permissions can still be applied to SSO users for exceptions.