IN THIS ARTICLE


General FAQs


Is there a difference in the quality of tool discovery between integration via SSO or ERP/Accounting, and can they be enabled simultaneously?


In terms of quality, both are advantageous and can be set up together. ERP/Accounting integration shows paid tools, while SSO integration includes other tools, such as tools registered for trial purposes. The former pulls spend information and invoices (if available), while the latter pulls only the tool or subscription name. 


Which SSO integration based discovery does Sastrify currently support?


Sastrify currently offers an integration with 4 major SSO providers: Google Workspace, Microsoft, Okta, and JumpCloud.


Which Sastrify user role do you need to set up the integration?


You need to be an admin in both Sastrify and SSO tool you want to integrate with to be able to connect the integration.


When are new tools discovered?


SSO integrations detect new tools when a user from the company uses the SSO method to authenticate. If the identified tool is part of the recognized list of Sastrify SaaS providers and the company does not have a subscription for this tool before, a new subscription will be generated.


Can I connect to multiple SSO providers?


You have the ability to connect to multiple SSO providers for Tool Discovery. For example, you can enable 2 providers at the same time, such as Google and Microsoft Discoveries. And the results are displayed in the Discovered tab within the Tool Stack. Each discovery is tagged with its source, allowing you to identify the SSO integration provider that facilitated the tool discovery. This feature greatly enhances your understanding of the origin of each tool discovery.


Can I connect to the same SSO provider multiple times?


No, you cannot. Connecting to the same provider multiple times is not possible. While you can connect to Google, Microsoft, Okta, and JumpCloud individually, it is not possible to connect to these providers multiple times. For example, connecting to Google more than once (e.g. for different entities) is not an option.


Once an integration is established, does the connection need to be "refreshed"?    


Customers only need to connect to a single sign-on (SSO) integration once. After that, we retain the "refresh token," which allows us to access the Google, Microsoft, Okta, or JumpCloud APIs on the user's behalf and attempt to retrieve new subscriptions on a weekly basis. However, it's important to note that certain events can cause the "refreshed_token" to expire. 


As a customer, how will I be notified when new subscriptions are discovered through the SSO integration? Do I receive notifications or emails?


Currently, we do not send any notifications (via email or Slack) about the discovery of new subscriptions. In the Tool Stack, you will simply see the number of "Discovered" tools and how and when they are discovered.


What happens if a tool has not been used recently (e.g., in the last 60 days)?


Single sign-on (SSO) integrations, such as those for Google, Microsoft, Okta, or JumpCloud, do not specifically track user activity. Instead, they look at the number of users authorized to use each tool with their respective credentials (e.g., Google or Microsoft credentials). 



Google SSO Discovery FAQs


What are the conditions for Google integration to detect or discover new tools?


Google Workspace SSO integration automatically discovers new tools when Google user accounts associated with the company (under the same domain) use the Google Workspace Single Sign-On (SSO) login method to authenticate to any SaaS products or services. 

If a tool or vendor is listed in Sastrify's extensive SaaS vendor database and you do not have a subscription listed in the main subscription list, Sastrify will create the new tool and place it under the "Discovered" page.


How often should the integration or connection be refreshed to make sure new subscriptions are always discovered and added to the platform?


You only need to set up the connection for the Google Workspace integration once. After the initial setup, Sastrify stores the generated "refresh token," which allows us to check and fetch new subscriptions on a weekly basis.


What happens if there is a tool that used to be accessed via Google SSO authentication, but has not been used in the last 30-60 days? Will the integration still pull it into Sastrify?


Yes, the Google Workspace integration does not consider user activity or frequency of access when pulling tools into Sastrify. It will capture all successful logins.


Can the integration distinguish between tools that are actively used and those that are in a trial phase, and only pull the active ones?


No, it does not make such a distinction. The integration detects all tools, but only displays those that have matches in Sastrify's extensive database.


Why does Google SSO Discovery not detect a Google Cloud subscription even though it is an active IaaS hosting used by our company?

 

This is because Google treats GCP as an internal application since it is a Google product and not an external one. These external applications (i.e. your other SaaS tools), when accessed by the authentication method of your choice, in this case Microsoft, usually trigger an open standard protocol or an authorization protocol that governs SSO access. These same protocols are used by Sastrify's tool discovery integration to detect and discover tools. GCP has a different access framework and is therefore not detected by the integration.



Microsoft SSO Discovery FAQ


What roles do you need to set up and configure discovery integration for Microsoft?



Why does Microsoft SSO Discovery not detect a Microsoft Azure subscription even though it is an active IaaS hosting used by our company?

 

This is because Microsoft treats MS Azure as an internal application since it is a Microsoft product and not an external one. These external applications (i.e. your other SaaS tools), when accessed by the authentication method of your choice, in this case Microsoft, usually trigger an open standard protocol or an authorization protocol that governs SSO access. These same protocols are used by Sastrify's tool discovery integration to detect and discover tools. Azure has a different access framework and is therefore not detected by the integration.




Okta SSO Discovery FAQ


What permissions do I need to grant the API token for Okta integrations?


Sastrify will need read-only access to the following endpoints:

  • /api/v1/apps
  • /api/v1/apps/{appid}/users
  • /api/v1/users
  • /api/v1/logs


JumpCloud SSO Discovery FAQ


Where can I locate my API Key?


To locate your API Key:

  1. Log into the JumpCloud Admin Console.
  2. Go to the username drop down located in the top-right of the Console.
  3. Retrieve your API key from API Settings.

This API key is associated to the currently logged in administrator. Other admins will have different API keys.