SaaS Security Administrator's Guide
    : Onboarding Overview for Supported SaaS Apps
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security Administrator's Guide
    4. SaaS Security Posture Management
    5. Onboard SaaS Apps Supported by SSPM
    6. Onboarding Overview for Supported SaaS Apps
    Download PDF

    SaaS Security Administrator's Guide

    Onboarding Overview for Supported SaaS Apps

    Table of Contents

    Onboarding Overview for Supported SaaS Apps

    Before you onboard a SaaS app in SSPM, there are certain actions you must take.
    When you onboard a SaaS app to SSPM, you might be prompted to provide configuration information that SSPM uses to connect to the SaaS app. The required information varies from app to app. The following table describes the actions you must take to onboard a particular SaaS app to SSPM. For some supported SaaS Apps, more detailed onboarding instructions are available by following links that are provided in the table.
    SaaS App
    Before Onboarding, Complete the Following Actions
    During Onboarding, Complete the Following Actions
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. Multi-factor authentication (MFA) using one-time passcodes must be configured.
    1. Identify the user account that SSPM will use to connect to your Aha.io organization. The user account must be assigned to both the Account and Billing administrator roles.
    2. To enable SSPM to access the account using Okta credentials:
    3. Make note of your organization's Aha.io instance host name. After you log in to Aha.io, the instance host name is a unique subdomain included in the Aha.io URL. The URL format is
      <instance_host>
      .aha.io.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the instance host name.
    Alteryx Designer Cloud
    Complete the following steps to enable SSPM to connect to an Alteryx Designer Cloud API.
    1. Log in to Alteryx Designer Cloud as an administrator.
    2. Generate and copy an access token for your workspace. The token will inherit the access permissions of the administrator account.
    When prompted, provide SSPM with your workspace name and the access token.
    Identify the Aptible user account whose login credentials you will supply to SSPM. SSPM will use this account to access configuration information. The user must be assigned to the Rooms Collaborator role, or a role with greater permissions.
    When prompted, provide SSPM with the login credentials for the user account.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. To enable OAuth 2.0 authorization:
    1. Log in to an ArcGIS Developers portal (developers.arcgis.com) as a company administrator for ArcGIS Enterprise.
    2. Create an OAuth 2.0 application in ArcGIS, and copy the app credentials (Client ID and Client secret).
      In your application, specify a redirect URI for OAuth 2.0. The redirect URI to specify is available in SSPM from the Add Application page for an ArcGIS instance.
    1. When prompted, provide SSPM with the Client ID and Client secret for the app that you created on ArcGIS.
    2. When SSPM redirects you to the ArcGIS login page, log in to the administrator account and grant SSPM the requested access.
    Articulate Global
    Identify the Articulate Global administrator account whose login credentials you will supply to SSPM. SSPM will use this account to access configuration information. The administrator must be assigned to the Account Admin role.
    When prompted, provide SSPM with the login credentials for the user account.
    By onboarding an Atlassian app, you enable SSPM to scan your Jira and Confluence instances for connected third-party plugins. To enable these scans, you must also onboard the Jira app or onboard the Confluence app. From SSPM, you can then view the third party plugins for Jira or Confluence and take action if necessary.
    Complete the following steps to enable SSPM to connect to an Atlassian API.
    1. Log in to Atlassian using administrator credentials.
    2. Generate and copy an API token for the administrator account.
    3. Generate and copy an API key for your organization.
    When prompted, provide SSPM with the login email address of the Atlassian administrator who created the API token, the API token, and the API key.
    BambooHR
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the BambooHR administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Make note of your BambooHR company domain. After you log in to BambooHR, the company domain is a unique subdomain included in the BambooHR URL. The URL format is
      <subdomain>
      .bamboohr.com.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the company domain.
    Basecamp
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Basecamp to grant SSPM access. To grant SSPM the access that it requires, you must log in with an account that has Owner permissions.
    When SSPM redirects you to the Basecamp login page, log in to the administrator account and grant SSPM the requested access.
    Bitbucket
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Bitbucket to grant SSPM access.
    When SSPM redirects you to the Bitbucket login page, log in to the administrator account and grant SSPM the requested access.
    BlueJeans
    Complete the following steps to enable SSPM to connect to a BlueJeans API.
    1. Log in to a BlueJeans Enterprise administrator account.
    2. In BlueJeans Enterprise, create an enterprise app (
      ADMIN
      GROUP SETTINGS
      ENTERPRISE APPS
      ADD NEW APP
      )
    3. Copy the App Key and App Secret for your enterprise app.
    When prompted, provide SSPM with App Key and App Secret for your enterprise app.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Box administrator whose credentials you will supply to SSPM.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through the Okta identity provider. Having SSPM log in through Okta adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through Okta, provide SSPM with your organization's Okta subdomain and the MFA secret key.
    Bright Security
    Identify the Bright Security account whose login credentials you will supply to SSPM. The user must be assigned to the Admin or Owner role.
    When prompted, provide SSPM with the login credentials for the administrator account.
    Complete the following steps to enable SSPM to connect to a Celonis API.
    1. Log in to Celonis as an administrator.
    2. Generate and copy an API key. The API key will inherit the access permissions of the administrator account.
    3. Identify and copy your Celonis team domain URL.
    When prompted, provide SSPM with your Celonis team domain URL and the API key that you generated.
    Cisco Meraki
    Complete the following steps to enable SSPM to connect to a Cisco Meraki API.
    1. Log in to Cisco Meraki as an administrator with full organization access.
    2. Generate and copy an API key. The API key will inherit the access permissions of the administrator account. To generate a key, on your profile page, locate the API access section and
      Generate new API key
      .
    3. From your organization settings (
      Organization
      Settings
      ),
      Enable access to the Cisco Meraki Dashboard API
      .
    When prompted, provide SSPM with the API key that you generated.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the ClickUp administrator account whose login credentials you will supply to SSPM.
    2. (
      Optional
      ) Configure the administrator account to require MFA using an authenticator app. Copy the MFA secret key that is used to generate one-time passcodes.
    When prompted, provide SSPM with your administrator credentials and, optionally, the MFA secret key.
    Confluence
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Confluence administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    To enable SSPM to scan your Confluence instance for connected third-party plugins, you must also onboard the Atlassian app.
    When prompted, provide SSPM with your organization's Okta subdomain, the administrator credentials, and the MFA secret key.
    Contentful
    Complete the following steps to enable SSPM to connect to a Contentful API.
    1. Log in to a Contentful administrator account.
    2. Generate and copy an access token. The token will inherit the access permissions of the administrator account.
    When prompted, provide SSPM with the access token.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Convo administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta subdomain, the administrator credentials, and the MFA secret key.
    Couchbase
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the administrator account whose credentials you will supply to SSPM. The administrator must be assigned to the Organization Owner role.
    2. Identify your Couchbase tenant ID.
    When prompted, provide SSPM with your Couchbase tenant ID and the administrator login credentials.
    Complete the following steps to enable SSPM to connect to a Coveo API.
    1. Log in to a Coveo administrator account.
    2. Generate and copy an API key for your organization. Configure the key to have Admin privileges to your organization's Groups. To do this, when configuring the API key, select
      Privileges tab
      Preset
      Admin
      .
    3. Identify your Organization ID. To do this, on the Coveo administration console, select
      Organization
      Settings
      Organization
      .
    When prompted, provide SSPM with your Coveo organization ID and the API key.
    Crowdin Enterprise
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Crowdin Enterprise administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your organization's Crowdin Enterprise domain name.
    When prompted, provide SSPM with your organization's domain name, Okta domain, the administrator credentials, and the MFA secret key.
    Customer.io
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Customer.io administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Databricks
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Databricks administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Complete the following steps to enable SSPM to connect to a Datadog API.
    1. Log in to a Datadog administrator account, noting your Datadog region.
    2. Generate an API key and the Application key. The Application key will inherit the access permissions of the administrator account. The administrator must have the following permissions:
      • Org Management
      • User App Keys
      • API Keys Read
      • API Keys Write
    When prompted, provide SSPM with your Datadog region, the API key, and the Application key.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the user account that SSPM will use to connect to your DocHub organization. The user account must be assigned to the DocHub Owner or Admin role for your organization.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the user credentials, and the MFA secret key.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to DocuSign to grant SSPM access.
    When SSPM redirects you to the DocuSign login page, log in to the administrator account and grant SSPM the requested access.
    Dropbox Business
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Dropbox Business administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Team Admin role
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Envoy administrator whose credentials you will supply to SSPM. To grant SSPM the access that it requires, you must log in with an account that has Global Admin permissions.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Expiration Reminder
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Expiration Reminder administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Gainsight administrator account whose login credentials you will supply to SSPM. The account must have full administrative privileges.
    2. Copy your Gainsight subscription ID. To find your subscription ID, log in to Gainsight and select
      Administration
      SET UP
      Company & Timezone
      .
    When prompted, provide SSPM with the administrator login credentials and subscription ID.
    Github Enterprise
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Github Enterprise administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Enterprise Owner role.
    2. Generate and copy an MFA secret key. From the administrator profile settings, select
      Password and authentication
      Enable two-factor authentication
      Set up using an app
      . Copy the MFA secret key for SSPM onboarding, and also configure an authenticator app with the MFA secret key.
    3. Identify the GitHub Enterprise organization to scan.
    When prompted, provide SSPM with the administrator credentials, MFA secret key, and the name of the organization that you want SSPM to scan.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Log in to a Gitlab administrator account.
    2. Generate and copy an access token for your organization. Configure the token to have read access to the API.
    3. Identify and copy your organization's domain URL. In your login URL, your organization domain URL appears after the "https://" scheme and before any backslash character. For example, https://
      <organization-name-URL>
      /users/sign_in.
    When prompted, provide SSPM with your the access token and your organization domain URL.
    Google Analytics
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Google Analytics to grant SSPM access. From the account settings, copy the administrator Account ID.
    When prompted, provide SSPM with the administrator Account ID. When SSPM redirects you to the Google Analytics login page, log in by using the administrator account and grant SSPM the requested access.
    Google Workspace
    Complete the following steps to enable SSPM to connect to a Google Workspace API through OAuth 2.0 authorization.
    1. Identify an administrator account that you will use to log in to Google Workspace.
    2. Identify the Google Workspace organizational unit to scan. To view the organizational units in your Google Workspace instance, from the Google Admin console, select
      Directory
      Organizational Units
      .
    When prompted, specify the Google Workspace organization to scan. When SSPM redirects you to the Google Workspace login page, log in to the administrator account and grant SSPM the requested access.
    GoTo Meeting
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to GoTo Meeting to grant SSPM access.
    When SSPM redirects you to the GoTo Meeting login page, log in to the administrator account and grant SSPM the requested access.
    Grammarly
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Grammarly administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Complete the following steps to enable SSPM to connect to a Harness API.
    1. Log in to a Harness account that is assigned to the Account Admin role. The account must have permission to View and to Create/Edit authentication settings.
    2. Generate and copy an API key. The API key will inherit the access permissions of the administrator account.
    When prompted, provide SSPM with your API key.
    Hellonext
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the administrator account whose login credentials you will supply to SSPM.
    2. Identify your Hellonext organization name. To identify your organization name in Hellonext, locate your profile icon and select
      <profile-icon>
      Switch Organization
      .
    When prompted, provide SSPM with the administrator credentials and the organization name.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the IDrive administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Informatica Address Doctor
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Informatica Address Doctor administrator account whose login credentials you will supply to SSPM.
    2. Identify your Informatica Address Doctor tenant ID, which is included in your login URL.
    When prompted, provide SSPM with the tenant ID and the administrator login credentials.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Intercom administrator account whose login credentials you will supply to SSPM.
    2. Identify your Intercom region where your data is hosted.
    When prompted, provide SSPM with the administrator login credentials and your region.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Jira administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    To enable SSPM to scan your Jira instance for connected third-party plugins, you must also onboard the Atlassian app.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Kanbanize
    Complete the following steps to enable SSPM to connect to a Kanbanize API.
    1. Log in to Kanbanize as the account owner and generate the API key.
    2. Make note of your organization's Kanbanize host name. After you log in to Kanbanize, the host name is a unique subdomain included in the Kanbanize URL. The URL format is
      <subdomain>
      .kanbanize.com.
    When prompted, provide SSPM with your organization's Kanbanize host name and the API key.
    Kanban Tool
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Kanban Tool administrator whose credentials you will supply to SSPM. The administrator must have either Account administrator or Account owner permissions.
    2. To enable SSPM to access the account using Okta credentials:
    3. Make note of your organization's Kanban Tool instance hostname. After you log in to Kanban Tool, the instance host name is a unique subdomain included in the Kanban Tool URL. The URL format is
      <instance_host>
      .kanbantool.com
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the instance host name.
    Kustomer
    Complete the following steps to enable SSPM to connect to a Kustomer API.
    1. Log in to Kustomer as an administrator and generate the API key. When you are configuring the key, select Roles as org.permission.
    2. Make sure you know the region (US or EU) where your organization instance was deployed.
    When prompted, provide SSPM with your organization's region and the API key that you generated.
    Lokalise
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Lokalise administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Owner role in Lokalise.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your Lokalise team domain.To identify your Lokalise team domain, select
      <profile-icon>
      Team settings
      Advanced security
      .
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the team domain.
    Microsoft Azure AD
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Azure to grant SSPM access. To grant SSPM the access that it requires, you must log in with an account that has Microsoft Global Admin permissions.
    When SSPM redirects you to the Microsoft login page, log in to the Global Admin account and grant SSPM the requested access.
    Microsoft Exchange
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Microsoft Exchange app individually gives you greater visibility into Microsoft Exchange settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Microsoft OneDrive
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Microsoft OneDrive app individually gives you greater visibility into Microsoft OneDrive settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Microsoft Outlook
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Microsoft Outlook app individually gives you greater visibility into Microsoft Outlook settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Microsoft SharePoint
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Microsoft SharePoint app individually gives you greater visibility into Microsoft SharePoint settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Microsoft Teams
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Microsoft Teams app individually gives you greater visibility into Microsoft Teams settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Complete the following steps to enable SSPM to connect to a Miro API. SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization.
    1. In Miro (Enterprise plan), log in as a Company Admin.
    2. Create an app in Miro, and copy the app credentials (Client ID and Client secret). Configure the app to these specifications:
      • Specify a redirect URI for OAuth 2.0 authentication. The redirect URI to specify is available in SSPM from the Add Application page for a Miro instance.
      • Allow only the following scope permissions for the app:
        organizations:teams:read
        boards:read
    1. When prompted, provide SSPM with the Client ID and Client secret for the app that you created on Miro.
    2. When SSPM redirects you to the Miro login page, log in to the administrator account and grant SSPM the requested access.
    monday.com
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the monday.com administrator account whose login credentials you will supply to SSPM.
    2. Identify the account domain for the administrator account. After you log in to monday.com, this domain is part of your monday.com URL in the format
      <account_domain>
      .monday.com. In your profile, the account domain is shown in the Account URL (Web Address) field.
    3. (
      Optional
      ) Configure the administrator account to require multi-factor authentication (MFA) using an authenticator app, and copy the MFA secret key.
    When prompted, provide SSPM with your administrator credentials and your account domain. If the administrator account is configured for MFA, provide SSPM with the MFA secret key.
    MongoDB Atlas
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the MongoDB Atlas administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Organization Owner role in MongoDB Atlas.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    MuleSoft
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the MuleSoft administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your MuleSoft organization domain name. You can navigate to your organization information from the Mulesoft Access Management page.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the organization domain name.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Mural to grant SSPM access. You must log in as a workspace admin.
    When SSPM redirects you to the Mural login page, log in to the workspace admin account and grant SSPM the requested access.
    Nintex Workflow Cloud
    Complete the following steps to enable SSPM to connect to a Nintex Workflow Cloud API.
    1. Log in to a Nintex Workflow Cloud account that is assigned to the Global administrator role.
    2. From the Apps and Tokens page in your Nintex Workflow Cloud settings, add an app.
    3. Copy the Client ID and the Client Secret that is associated with your app.
    When prompted, provide SSPM with the Client ID and the Client Secret that is associated with your app.
    Office 365
    Connecting to Office 365 enables SSPM to scan settings at a high level based on Microsoft's Secure Score. For greater visibility into a particular application in the Office 365 product family, onboard the individual product app. By adding an individual product app, you enable SSPM to scan more settings for the particular product. To scan more settings for Microsoft Word, Microsoft PowerPoint, and Microsoft Excel, onboard
    Office 365 - Productivity Apps
    . Other products in the Office 365 product family have their own tiles on the Applications page and can be onboarded separately.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Office 365 to grant SSPM access. The administrator must be assigned to the all of the following roles:
    • Global Administrator
    • Security Administrator
    • User Administrator
    When SSPM redirects you to the Office 365 login page, log in to the administrator account and grant SSPM the requested access.
    Office 365 - Productivity Apps
    High-level configuration scanning across Office 365 products is available by adding the Office 365 app. Adding the Office 365 - Productivity Apps gives you greater visibility into Microsoft Word, Microsoft PowerPoint, and Microsoft Excel settings.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Microsoft 365 administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    When prompted, provide SSPM with the administrator credentials. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Complete the following steps to enable SSPM to connect to an Okta API.
    1. Log in to Okta as an administrator assigned to the Super Admin role.
    2. Create and copy an API token. This token will inherit the Super Admin access permissions of the administrator.
    3. Identify your Admin URL, which is your subdomain plus -admin (https://
      <subdomain>
      -admin.okta.com).
    When prompted, provide SSPM with your Admin instance URL and the API token.
    PagerDuty
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify a PagerDuty administrator whose credentials you will supply to SSPM.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    5. Determine if your account has a personalized PagerDuty subdomain. If it does, the subdomain will be shown as part of your PagerDuty URL (
      <subdomain>
      .pagerduty.com).
    6. Make sure you know the region (US or EU) where PagerDuty hosts your accounts.
    When prompted, provide SSPM with the following information:
    • The administrator credentials.
    • Your PagerDuty subdomain, if one is configured for your account. If you do not have a personalized subdomain, leave the associated field blank.
    • Your region.
    If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Ping Identity
    Complete the following steps to enable SSPM to connect to a Ping Identity API.
    1. Log in to Ping Identity as an administrator assigned to either the Organization Admin or Environment Admin role.
    2. Create a Ping Identity worker application, which will inherit your role assignments and enable access to the API. Copy the application's Client ID and Client Secret.
    3. Copy your Environment ID and Region, which are shown on your environment page in Ping Identity.
    When prompted, provide SSPM with the following information:
    • The Client ID and Client Secret of the worker application
    • Your Environment ID and Region
    Pipedrive
    Enable SSPM to connect to a Pipedrive API. Log in to Pipedrive as an administrator and copy the administrator's personal API token.
    When prompted, provide SSPM with the API token.
    Pivotal Tracker
    Complete the following steps to enable SSPM to connect to a Pivotal Tracker API.
    1. Log in to Pivotal Tracker as an administrator.
    2. Generate and copy an API token.
    When prompted, provide SSPM with the API token.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Power BI administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Global Admin role.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Qualtrics XM
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Qualtrics XM administrator whose credentials you will supply to SSPM. The account must have Brand Administrator authority.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your Organization ID. After you log in to Qualtrics XM, your organization ID is included in the Qualtrics XM URL. The URL format is
      <org-ID>
      .qualtrics.com.
    4. Identify your SSO display name. To get the display name, go to
      Admin
      Organization Settings
      SSO
       and open the
      Edit
       page for the SSO connection.
    When prompted, provide SSPM with the following information:
    • The administrator credentials
    • The MFA secret key
    • Your Okta subdomain
    • Your Organization ID
    • Your SSO display name. If you do not have an SSO display name, leave the field blank.
    Redis Labs
    Complete the following steps to enable SSPM to connect to a Redis Labs API.
    1. Log in to Redis Labs as a user assigned to the Owner role.
    2. Generate and copy an API Account key and an API User key.
    When prompted, provide SSPM with the API Account key and the API User key.
    RingCentral
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the RingCentral administrator whose Okta credentials you will supply to SSPM. The administrator must be assigned to the Super Admin role.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Salesforce
    Complete the following steps to enable SSPM to connect to a Salesforce API through OAuth 2.0 authorization.
    1. Identify the user account that you will use to log in to Salesforce to grant SSPM access. To grant SSPM the access it needs, the user account must have the following permissions:
      • Manage Health Check
      • Manage Multi-Factor Authentication in User Interface
      • Manage Users
      • API Enabled
      • Download AppExchange Packages
      • View Real-Time Event Monitoring Data
    2. Copy your organization's instance URL. The instance URL has the format https://
      <instance_name>
      .my.salesforce.com
    1. When prompted, provide SSPM with your organization's Salesforce instance URL.
    2. When SSPM redirects you to the Salesforce login page, log in to the administrator account and grant SSPM the requested access.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the SAP Ariba account whose login credentials you will supply to SSPM during onboarding. The account must have administrator permissions to the SAP Ariba realm that you want SSPM to scan.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through Microsoft Azure. Having SSPM log in through Microsoft Azure adds an extra layer of security by requiring MFA using one-time passcodes.
    3. Identify the name of your SAP Ariba realm and, if SSPM will be logging in directly and not through Azure, the fully qualified domain name (FQDN). After you log in to SAP Ariba, a realm query parameter of the URL shows your realm name. The URL also shows the FQDN.
    When prompted, provide SSPM with the administrator credentials and your realm name. If SSPM will connect to the account by using direct login, select the FQDN for your SAP Ariba instance. If SSPM will connect to the account through Microsoft Azure, specify the information that SSPM needs for MFA.
    Segment
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the user account whose login credentials you will supply to SSPM. The account must be assigned to the Workspace Owner role.
    2. If multi-factor authentication (MFA) is configured for the user account:
      1. Make sure MFA is configured for one-time passcodes and authenticator apps and not for text messages.
      2. Copy the MFA secret key for the account.
    When prompted, provide SSPM with the user credentials. If MFA is configured for the user, provide the MFA secret key. If MFA is not configured for the user, leave the MFA Secret Key field empty.
    Sentry
    Complete the following steps to enable SSPM to connect to a Sentry API.
    1. Log in to Sentry using an account that is assigned to the Admin role.
    2. Generate and copy an authentication token. Limit token access to the org:read scope.
    When prompted, provide SSPM with the authentication token.
    ServiceNow
    Complete the following steps to enable SSPM to connect to a ServiceNow API through OAuth 2.0 authorization.
    1. In ServiceNow, log in as an administrator and navigate to the Application Registries page (
      System OAuth
      Application Registry
      ).
    2. Register a new OAuth application (
      New
      Create an OAuth API endpoint for external clients
      ).
      • Configure the application with a redirect URI for OAuth 2.0 authentication. The redirect URI to specify is available in SSPM from the Add Application page for a ServiceNow instance.
      • Copy the application credentials (Client ID and Client secret).
    3. Identify your ServiceNow instance URL. The instance URL has the format https://
      <instance_name>
      .service-now.com.
    1. When prompted, provide SSPM with your ServiceNow instance URL and the Client ID and Client secret for the application that you registered.
    2. When SSPM redirects you to the ServiceNow login page, log in to the administrator account and grant SSPM the requested access.
    ShareFile
    Complete the following steps to enable SSPM to connect to a ShareFile API.
    1. Log in to ShareFile using an account that has Access company account permissions.
    2. Create an API key and copy the credentials (Client ID and Client Secret) that are associated with the key.
    When prompted, provide SSPM with the Client ID and Client Secret.
    Slack Enterprise
    Complete the following steps to enable SSPM to connect to a Slack Enterprise API.
    1. Log in to Slack Enterprise as an administrator assigned to the Org Admin role or a role with greater permissions.
    2. Navigate to the Your Apps page, and create an app:
      1. In the Create an app dialog, specify that you want to create the app from scratch.
      2. Navigate to the OAuth and Permissions settings, and, under Bot Token Scopes, add the
        team:read
         OAUTH scope.
      3. Navigate to the Org Level Apps settings and Opt in to the org apps program.
      4. Navigate back to the OAuth and Permissions settings, and, under User Token Scopes, add the
        admin.teams:read
        ,
        auditlogs:read
        , and
        team:read
         OAUTH scopes.
    3. Install your app across your organization's workspaces to generate the User OAuth Token. Copy the User OAuth Token and paste it into a text file.
    When prompted, provide SSPM with the User OAuth Token that you generated.
    Snowflake
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    • Identify the Snowflake user account whose login credentials you will supply to SSPM. The user must be assigned to both the ACCOUNTADMIN and ORGADMIN roles.
    • Identify your Snowflake account name.
    When prompted, provide SSPM with the login credentials for the user account and your Snowflake account name.
    SparkPost
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the SparkPost administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Splunk Cloud
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Splunk administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your Splunk app domain, which is a subdomain included in the Splunk Cloud URL. The URL format is
      <app_domain>
      .cloud.splunk.com or
      <app_domain>
      .splunkcloud.com.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and the Splunk app domain.
    Sumo Logic
    Complete the following steps to enable SSPM to connect to a Sumo Logic API.
    1. Log in to Sumo Logic as an administrator.
    2. Generate an access key, which will inherit the access permissions of the administrator account. The access key will have an associated access ID. Copy both the access ID and access key.
    When prompted, provide SSPM with the access ID and access key.
    Syncplicity
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Syncplicity to grant SSPM access.
    When SSPM redirects you to the Syncplicity login page, log in to the administrator account and grant SSPM the requested access.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Tableau administrator whose credentials you will supply to SSPM. The administrator must be assigned to the Site Administrator Creator role.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. SSPM can log in by using Okta or Microsoft Azure as an identity provider. Having SSPM log in through an identity provider adds an extra layer of security by requiring MFA using one-time passcodes.
    3. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    5. Identify your Tableau app subdomain, which is included in the Tableau URL The URL format is
      <app_domain>
      .online.tableau.com
    When prompted, provide SSPM with the administrator credentials and the app subdomain. If SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Terraform
    Complete the following steps to enable SSPM to connect to a Terraform API.
    1. Log in to Terraform Cloud as an organization owner.
    2. Generate and copy a user API token. The token will inherit the access permissions of the organization owner account.
    When prompted, provide SSPM with the API token.
    TextExpander
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the TextExpander administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    Tresorit
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Tresorit administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, and the MFA secret key.
    VMWare
    Complete the following steps to enable SSPM to connect to a VMWare API.
    1. Log in to VMWare Cloud Services using an account that is assigned to the Organization Owner role.
    2. Generate and copy an API token for the organization. Configure the API key to these specifications:
      • Limit Organization Roles access to the Organization Owner role.
      • Limit Service Roles to Skyline Advisor.
      • Select the OpenID scope.
      • (
        Optional
        ) Select the email preference option to be notified when the token is about to expire.
    3. Copy your Organization ID, which you can access from your profile.
    4. (
      Optional
      ) Activate MFA for tokens that are associated with the account, and copy the MFA secret key for the account.
    When prompted, provide SSPM with the API token and your organization ID. If you configured MFA for tokens, also provide your MFA secret key.
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the WebEx administrator whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your organization ID. In the Webex Control Hub, your organization ID is included under your Company Information.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and your organization ID.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization and a custom report. Complete the following steps as a Security Administrator.
    1. To enable OAuth 2.0 authorization, create an API client application, an integration system user, and an integration system security group.
    2. To enable SSPM to scan your Workday instance, create a custom report and expose the report as a web service.
    When prompted, provide SSPM with the following information:
    • The application credentials (Client ID and Client Secret) and the authorization and token endpoints for your API client application.
    • The web service URL for your custom report.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Log in to Wrike as an administrator, and navigate to the API Apps page (www.wrike.com/frontend/apps/index.html).
    2. Create an OAuth 2.0 application in Wrike, and copy the app credentials (Client ID and Client secret).
      In your application, specify a redirect URI for OAuth 2.0. The redirect URI to specify is available in SSPM from the Add Application page for a Wrike instance.
    1. When prompted, provide SSPM with the OAuth 2.0 application credentials (Client ID and Client Secret). Also provide the email ID for the Wrike administrator who created the OAuth 2.0 application.
    2. When SSPM redirects you to the Wrike login page, log in to the administrator account and grant SSPM the requested access.
    YouTrack
    Complete the following steps to enable SSPM to connect to a YouTrack API.
    1. Identify your YouTrack instance name. In your login URL, your instance name is shown as a subdomain of the URL (
      <instance>
      .youtrack.cloud).
    2. Log in to YouTrack using an account that is assigned to the System Admin role.
    3. Generate and copy a permanent token for the account. Configure the permanent token to include the following scopes:
      • YouTrack
      • YouTrack Administration
    When prompted, provide SSPM with the YouTrack instance name and the permanent token.
    Complete the following steps to enable SSPM to access configuration information through an administrator account.
    1. Identify the Zendesk user whose credentials you will supply to SSPM. The user must have Administrator or Agent access for Zendesk Support.
    2. Determine whether you want SSPM to log in to the administrator account directly, or through an identity provider. If you configure the connection for direct login, you can optionally add an extra layer of security by requiring MFA using one-time passcodes. If you configure the connection for log in through an identity provider, MFA is required. SSPM can log in by using Okta or Microsoft Azure as an identity provider.
    3. (
      Direct login with MFA only
      ) From the Security Settings tab in your Zendesk profile, set up 2FA. Select Authenticator app as your 2FA method. While also setting up 2FA on your cellphone, copy the secret key to provide to SSPM.
    4. (
      Okta onboarding only
      ) To enable SSPM to access the account using MFA:
    6. Identify the Zendesk subdomain. Unless you enabled the host-mapping feature in Zendesk, your subdomain is included in your account's URL. The URL format is
      <subdomain>
      .zendesk.com.
    When prompted, provide SSPM with the administrator credentials and your Zendesk subdomain. If you configured MFA for Zendesk, or if SSPM is connecting to the account through an identity provider, specify the information that SSPM needs for MFA.
    Zoho One
    Complete the following steps to enable SSPM to access configuration information through an administrator account. Your organization must be using Okta as an identity provider. MFA using one-time passcodes must be configured.
    1. Identify the Zoho One administrator account whose credentials you will supply to SSPM.
    2. To enable SSPM to access the account using Okta credentials:
    3. Identify your Zoho One region where your data is hosted. This information is available on the account profile page.
    When prompted, provide SSPM with your organization's Okta domain, the administrator credentials, the MFA secret key, and your region.
    Zoho WorkDrive
    Complete the following steps to enable SSPM to access configuration information through OAuth 2.0 authorization.
    1. Identify the account that you will use to log in to Zoho WorkDrive. The account must be assigned to the Admin role.
    2. Identify the Zoho WorkDrive domain. which is the region where your data is hosted.
    1. When prompted, provide SSPM with your region.
    2. When SSPM redirects you to the Zoho WorkDrive login page, log in by using the administrator account and grant SSPM the requested access.
    SSPM connects to an API and accesses configuration information through OAuth 2.0 authorization. Identify the administrator account that you will use to log in to Zoom. The account must have the following permissions:
    • Users: View
    • Account settings: View and Edit
    • Account Profile: View and Edit
    • Security: View and Edit
    When SSPM redirects you to the Zoom login page, log in to the administrator account and grant SSPM the requested access.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.