When adding a new user to Trellix ePO SaaS with an IDP (Identity Provider) enabled, the process changes slightly compared to the standard ePO user management because authentication is delegated to your IDP (like Azure AD, Okta, or PingOne). Please refer below explanation step by step:
Understanding ePO SaaS with IDP Enabled
IDP (Identity Provider) Integration
- ePO SaaS uses SAML 2.0 or OIDC to delegate authentication to your corporate IDP.
- This means user credentials are not stored in ePO. ePO relies on the IDP to verify identity.
User Management in ePO
- You cannot create standard ePO users (with a local username/password) if IDP is enforced.
- All users must exist in your IDP first. ePO can then assign roles/permissions to these users.
Steps to Add a New User
1. Create User in Your IDP
- Add the user in your corporate directory (Azure AD, Okta, etc.).
- Ensure the user’s email or username matches the ePO SaaS IDP mapping.
2. Assign User to the ePO SaaS App in IDP
- In your IDP, ensure the user is assigned access to the ePO SaaS application.
3. Log into ePO SaaS for the First Time
- User goes to the ePO SaaS URL.
- They will be redirected to your IDP login page.
- After successful authentication, they are redirected back to ePO.
4. Assign Roles in ePO SaaS
- Navigate to Menu → User Management → Users.
- The new user should appear automatically once they login for the first time.
- Assign appropriate roles (Admin, Auditor, Operator, Custom) according to their responsibilities.
Summary:
With IDP enabled, you don’t add users directly in ePO SaaS. You add them in the IDP, assign them access to ePO SaaS, and then manage their roles and permissions inside ePO.