Data Validation Steps: Matching Accounts in Lumos

Last updated: October 8, 2024

If you are looking to verify that the data in Lumos matches with another source, this is the article for you! Use the below steps to verify the number of users with a specific role, active counts, or overall account numbers match your Source of Truth (IDP) or your Service Provider. 

 

Some questions to get you started: 

What are you trying to match to?

  • Service Provider

    • Total number of accounts

    • Total number of active accounts

    • Number of accounts with a specific (e.g. admin) role?

  • IdP

    • Total number of accounts

    • Total number of active accounts

    • Number of accounts with a specific (e.g. admin) role?

 

Matching Your Service Provider to Lumos

Total number of accounts

  • Go to the App page for the service provider (Manage>Apps>Use the Search bar to Search all Apps for the App you are looking for)

    NOTE: You may see more than one result returned, depending on the App source. You may have an IdP-sourced App (exp: Okta-sourced Adobe) and a direct integration App (exp: You connected the integration to Adobe). You may even have shadow-sourced results. If you want to know more about merging Apps, you can explore that here:📄 How-To: Merge Apps. For our purposes, we are looking to match the App (integration) with Lumos so please select the App that has the Lumos integration as source or, alternatively, you can select the merged App that includes the Lumos integration and proceed to the next step.

  • If this is a merged App (IdP-sourced with Lumos-integration): Filter source to Lumos integration to compare Lumos to exactly what you're seeing in the service provider

  • Look at the number at the bottom right-hand corner and record the amount or take a screenshot for your records. This is the number that you will compare to your total number of accounts from your Service Provider.

Total number of active accounts

  • Go to the App page for the service provider (e.g. Manage>Apps>Adobe)

  • Filter Account Status: All Active Statuses

  • Look at the number at the bottom right-hand corner, record the amount or take a screenshot for your records. This is the number that you will compare to your total number of active accounts from your Service Provider.

Number of accounts with a specific role (e.g. admin)

  • Go to the App page for the service provider in Lumos (e.g. Manage>Apps>Adobe)

    • Filter by Role: If Role data persists from the service provider this is what you would filter by (administrative roles, for example) OR

    • Filter by Group: For Integrated Apps that have been merged with your IdP: If your IDP dictates the role based on group membership, you will want to filter by Group

Look at the number at the bottom right hand corner, record the amount or take a screenshot for your records. This is the number that you will compare to your total number of accounts in a specific role from your Service Provider.

 

What if I do all the above and my accounts still don’t match? We hear you - see path to follow below:

  • Jump to FAQs: Matching in Lumos

  • If the above reasons do not apply, please contact your CSM and provide them with the following information:

    • What your trying to match (accounts, active accounts, accounts with specific roles)

      1. An export of the CSV from your service provider with the accounts you’re wanting to match (same day)

Your CSM may have further questions for you but rest assured, we’ve got you covered!

 

Matching Your IdP to Lumos

Total number of accounts

  • Go to the App page for the service provider (e.g. Manage>Apps>Adobe)

  • Filter source to IdP-Sourced if you explicitly want to compare Lumos to exactly what you're seeing in your IdP

  • Look at the number at the bottom right hand corner and this is the number you will compare to what you find in your IdP

Total number of active accounts

  • Go to the App page for the service provider (e.g. Manage>Apps>Adobe)

  • Filter source to IdP-Sourced

  • Filter Account Status: Access created, Active, and Staged

  • Look at the number at the bottom right hand corner and this is the number you will compare to what you find in your IdP

Number of accounts with a specific (e.g. admin) role

  • Go to the App page for the service provider (e.g. Manage>Apps>Adobe)

  • Filter source to IdP-Sourced

  • Filter by Group: If your IdP dictates the role based on group membership, you will want to filter by Group

  • Look at the number at the bottom right hand corner and this is the number you will compare to what you find in your IdP

What if I do all the above and my accounts still don’t match? We hear you - see path to follow below:

  • Jump to FAQs: Matching in Lumos

  • If the above reasons do not apply, please contact your CSM and provide them with the following information:

    • What your trying to match (accounts, active accounts, accounts with specific roles)

      1. An export of the CSV from your service provider with the accounts you’re wanting to match (same day)

Your CSM may have further questions for you but rest assured, we’ve got you covered!

FAQs: Matching in Lumos

Why isn’t Lumos matching my IdP?

  • Multiple sources: Lumos can list users who are assigned in the application, but not in your IdP

    • Make sure you’ve filtered to your IdP only!

  • Sync mismatches

    • Ensure that the time of sync in Lumos coincides with the time from which you are pulling users from your IdP.

  • API Key Access:

    • The Okta integration needs the super admin role or custom admin roles with group admin and app admin capabilities

  • Incorrect IdP Application:

    • There may be multiple instances of the same application in your IdP. Search for the application name in Apps and use the IdP application ID to confirm you are looking at the right application. 

Why isn’t Lumos matching my Service Provider?

If the number of accounts in Lumos is greater than the number of accounts in the Application:

  • Multiple Sources: Lumos can list users who are assigned in your IdP, but not in the app. 

    • Make sure you filtered to Lumos integration

  • Sync times:

    • Ensure that the time of sync in Lumos coincides with the time from which you are pulling users from the application

  • Application API vs Application Panel: The application API may return users or roles that are excluded from the application panel. Lumos may be including external users/ users of a certain entitlement that are being sent via API. For example, see the section Lumos vs GCP IAM: Why you see more data in Lumos: 📄 Reconciling Google Cloud Platform (GCP)

  • Account statuses: Lumos can include deprovisioned users who may or may not show up in the service provider. Lumos keeps the historical record of deprovisioned accounts. 

    • Ensure that you filter to active, access created and staged account statuses. 

If the number of accounts in Lumos is less than the number of accounts in the Application:

  • Account statuses: Lumos normalizes statuses into Active, Access Created, Staged, Suspended, Archived, Deprovisioned. Sometimes the status name used in the service provider is slightly different.

    • Ensure that you filter to active, access created and staged account statuses.

  • Sync times:

    • Ensure that the time of sync in Lumos coincides with the time from which you are pulling users from the application 

Why isn’t the Lumos single App page matching the Lumos Access Review for the App?

  • Matched Accounts: In the access review, we do not break out matched accounts. For more information about Matched Accounts, please read this article on how Lumos Matches Accounts:📄 How does Lumos match accounts?

  • Account statuses: Lumos only brings accounts with statuses: Active, Access Created and Staged in the access review.

    • Ensure that you filter to active, access created and staged account statuses.