SaaS Discovery
SaaS Discovery identifies your organization's SaaS applications by integrating with SSO, SASE, and CASB solutions. It then updates and enriches Fact Sheets using the reference catalog.
Overview
SaaS Discovery streamlines the process of identifying your organization's Software as a Service (SaaS) applications through seamless integrations with third-party systems like Single-Sign-on (SSO), Secure Access Simplified (SASE), and Cloud Access Security Broker (CASB) solutions. Once a new SaaS application is discovered, you can:
- Automatically or manually link the discovered SaaS application to existing Application Fact Sheets or create new Fact Sheets and link them to a reference catalog item
- Enrich existing or newly created Fact Sheets by automatically linking the discovered SaaS to the reference catalog
The SaaS Discovery feature operates through integrations with third-party systems via APIs. To set up these integrations, you must provide credentials with appropriate permissions for the third-party systems. Detailed information and instructions for each integration are provided in specific guides, links for which are listed in the section Setting Up Integrations for SaaS Discovery.
Once an integration is established, SAP LeanIX periodically verifies the credentials and retrieves the necessary data, typically twice a day. This process enables SAP LeanIX to extract information about the applications used by your organization.
Note
Since the SaaS Discovery feature operates through integration with third-party systems, applications that are not from the application gallery but are developed or registered by the organization itself in their application landscape are not discovered.
Benefits
By leveraging SaaS Discovery, you get the following benefits:
- Find all SaaS applications that are used in your organization.
- Fully automate adding SaaS applications to SAP LeanIX, ensuring your inventory stays up to date and complete.
- Enrich existing Application Fact Sheets, including description, product category, SSO, and hosting information from the reference catalog.
- Detect multiple instances of the same SaaS in different SSOs and help you rationalize or manage portfolio better.
- Eliminate shadow IT and business-managed IT.
- Mitigate security and compliance risks.
The SaaS Discovery feature in SAP LeanIX Enterprise Architecture does not provide insight to cost, adoption, contracts, and other SaaS specifics.
Role of the Reference Catalog
When a discovered SaaS item is linked to an Application Fact Sheet, it also establishes a link between the Fact Sheet and the corresponding catalog item. This occurs when:
- An appropriate catalog item exists for the Fact Sheet.
- The Fact Sheet isn't already linked to a catalog item.
Through this connection, information from the reference catalog is automatically synced and updated on relevant Application Fact Sheets. To learn more, see Applications in the Reference Catalog.
Setting Up Integrations for SaaS Discovery
Continuous SaaS discovery relies on integrations with key SSO and CASB systems. These integrations allow SAP LeanIX to identify and discover the SaaS applications used across your organization.
Recommendation
Both integration categories, SSO and CASB, offer unique benefits. CASB systems can uncover shadow or business-managed IT, while SSO integrations provide more detailed information about discovered SaaS. Therefore, we recommend connecting at least one integration per category.
To set up integrations, follow these steps:
- In the Administration area, select Integrations.
- Click Add integrations. All available integrations are shown on the resulting page.
- Click Configure on the needed integration.
For setup details for the available integrations, see the following documents:
- Microsoft Defender for Cloud Apps (MDCA)
- Microsoft Entra ID (formerly Azure Active Directory)
- Netskope
- Okta
- Zscaler
Feel free to provide feedback on any integration you would like to see included. Visit the SAP LeanIX Product Roadmap and click + Submit idea to share your suggestions.
Status of the Integration
Once an integration is added, you can view it in the Integrations section of the administration area. The tile shows the integration's status, indicating whether it’s active or if there’s an error. If there are multiple instances of the same integration, the number of instances is displayed, and the tile reflects the status of the most critical instance. For example, if even one instance has an error, the tile will show an error status.
Clicking the tile will display a list of all instances or if there’s only one instance, it will open the configuration page directly.
Viewing Synchronization Logs for Integration Runs
SaaS Discovery provides two types of synchronization logs:
- Credentials check: Every 12 hours, the system checks the validity of the integration credentials and confirms the necessary permissions to request the needed data.
- Application discovery: Every 12 hours, the system pulls data from the integrated systems.
You can view details on integration runs in the Sync Logging section of the administration area. By using synchronization logs, you can promptly identify any issues with the integration and view details on each failed integration run. For more information on synchronization logs, see Synchronization Logging.
Fixing Integration Issues with the Help of AI
AI supports SaaS Discovery with the following:
- Error classification
- Solution suggestions
Error Classification
Whenever an error from an integration occurs, AI classifies it into one of the following types:
- User input error
- System error
- Internal error
This classification aids in determining the feasibility of error resolution. System errors are beyond control, however, for internal errors, SAP LeanIX has proactive monitoring set up to enable prompt action when required.
Solution Suggestions
AI is used to suggest solutions for user input errors. For example, consider a situation where the error message is rather cryptic. With AI, this can be translated into a solution description that simplifies the issue resolution process, even for non-technical users.
The following image shows an example error message with an AI-generated solution suggestion.
Adding Discovered SaaS Applications to the Inventory
List of Discovered SaaS Applications
Once the integration is set up, SaaS applications are automatically discovered. Discovered Applications appear on the SaaS Discovery tab of the Discovery Inbox page. .
In the Discovery Inbox, you can link the discovered items to an existing fact sheet or create a new fact sheet to link to, edit linked connections, and perform other related actions.
At the top of the Discovery Inbox, overview cards display the number of items in the inbox in different statuses - action needed, linked, or rejected. These four cards also act as quick filters. For example, clicking the Action needed card will remove all current filters and apply the filter to only list items requiring action. Clicking the Total card will remove all filters, and the list shows all discovered items.
Below the overview, discovered items are listed, and you can find the following information:
- Discovered Item: The name of the discovered SaaS application. Clicking the name provides additional details and actions to process the item.
- Status: The status of linking a discovered application to a Fact Sheet.
- Linked: The discovered application is already linked to a Fact Sheet. No further action is pending.
- Action needed: The discovered application has not been linked yet and still needs to be processed.
- Rejected: The discovered application was processed already but is not linked to a Fact Sheet.
- Fact Sheet link:
- For linked items: The name of the linked Fact Sheet.
- For unlinked items: A recommendation of a matching Fact Sheet to link to, or a suggestion for creating a new Fact Sheet if no suitable matching Fact Sheet is found
- Integration: Indicates which integration discovered the application.
- Discovery date: The date when the application was discovered.
- Action by: Lists who acted on the discovered application, including when the action was done.
Note
You can view the changelog of actions for discovered items. To do this, select an item in the discovery inbox, then navigate to the Changelog tab on the right-side pane. Here, you can view the history of actions for a discovered item, such as when it was created, linked, rejected, or linked to a different fact sheet.
Filtering and Searching Discovered SaaS Applications
You can filter discovered SaaS applications with many parameters, including:
- Status: Filter the list based on discovered application status - Linked, Action needed, or Rejected.
- Integration: If you have multiple integrations configured, you can narrow down the discovered items based on one or multiple integrations.
- Action by: Filter the list of applications based on particular users or the system who linked the discovered items to Fact Sheets.
- Additional parameters are available based on the integration you're using to discover SaaS. These may include:
- Usage adoption metrics: Such as total active users, generated traffic, and more.
- Security-related metrics: Such as application risk index, revised total security scores, and more.
Many of these parameters also allow you to set ranges for more precise filtering.
You can search for specific entries in the list using the search field below the filter. For example, you can search by name, external ID, Application ID, and more.
Linking Discovered Applications to Fact Sheets
There are two ways to link discovered applications to Fact Sheets:
- Automatic linking
- Manual linking
Automatic linking
Automatic linking takes place in the following cases:
- The application’s name on the Fact Sheet identically matches with SaaS Discovery item (discovered SaaS application).
- The Fact Sheet is already linked to a reference catalog item corresponding to the SaaS Discovery item. To learn more, see Applications in the Reference Catalog.
Manual linking
Discovered applications that are not automatically linked can be linked manually. To manually link a discovered item, do the following:
-
Click the name of the discovered item. This action opens an overlay where you can find details of the discovered item and also select the Fact Sheet you want to link to.
-
In the Will be linked to Fact Sheet(s) and catalog section, hover over a fact sheet, then click Edit. Select or search the Fact Sheet you want to link to. While selecting, you can:
- Link to an existing Application Fact Sheet: The system suggests a matching Fact Sheet to link to when it identifies one in the workspace. Or, if there is a better alternative than the given suggestion, you can search/select the right application from the drop-down menu.
- Create and Link: If no suitable matching Fact Sheet is found, you get a recommendation to create a new Fact Sheet of the Application type.
- Link to IT Component/Provider Fact Sheets: You can also link the discovered item to an existing IT Component or Provider Fact Sheet, by searching/selecting the right Fact Sheet from the drop-down menu.
-
Click Link to finish establishing the link.
Details of the Discovered Item
The Details tab in the overlay gives you further details, including security-related information such as the application risk index, revised total security score, etc., depending on the integration source. It also includes usage adoption information, like total active users, generated traffic, etc. along with integration-specific details.
All the details visible here can be used as parameter for search and filtering in the discovery inbox.
Rejecting Discovered Items
You can ignore a discovered item if you don't want to link it to a fact sheet. Follow the same instructions as for linking, and choose Reject.
Here are some reasons for rejecting a discovered SaaS item:
- It is not relevant to your organization's SaaS inventory from an enterprise architecture perspective.
- It is a duplicate instance of the same SaaS discovered by different integration sources.
- It pertains to outdated or discontinued services that are no longer in use.
- It is a test instance.
- You want to overwrite the information in the linked fact sheet. Rejecting a linked item effectively unlinks it and stops updates from the catalog.
Rejected items are then listed in the Rejected tab, allowing you to review and relink them if needed.
Linking / Rejecting Multiple Items at Once
To link or reject multiple items at once, follow these steps:
- From the list, select the discovered items by checking the checkbox against the item individually or by using the Select All option.
- When you click Select All, only the items currently displayed are selected. To ensure all items are selected, scroll down to the bottom of the page to load all items before clicking Select All.
- You can also use filters to narrow down the list for selection. For example, you can filter by an integration source and select only those items.
- At the top right corner of the list, click Link or Reject as needed.
Modifying the Established Link
You can modify the link between the discovered item and the linked Fact Sheet if it was linked inadvertently or if a better alternative exists.
To modify the link, do the following:
- Click the name of the discovered item. This action opens an overlay where you can select the Fact Sheet you want to link to.
- Hover over the linked fact sheet, click Edit, then select or search for the Fact Sheet you want to relink to.
- Click Link to finish reestablishing the link.
When you modify the link between the Fact Sheet and the discovered SaaS item, the connected reference catalog item also automatically updates to the appropriate one. You can view the details of the catalog link in the Catalog link section.
The reference catalog links are not editable here. To learn how to change the linked catalog item, see Changing the Link to a Different Item.
Detecting Multiple Instances of SaaS
SaaS Discovery detects multiple instances of the same SaaS across different SSO systems. Currently it is supported for Entra ID and Okta.
Multiple instances of SaaS are often used to support regional requirements, to separate data of different legal entities of the same company, or facilitate the use of test systems alongside production systems. Also, in situations like mergers and acquisitions, managing multiple instances becomes crucial. Therefore, identifying these instances is important for Enterprise Architects, as knowing about their existence can influence application rationalization efforts.
SAP LeanIX SaaS Discovery identifies SaaS instances by examining Application IDs, External IDs, and External names used in the SSOs. When multiple SaaS instances share the same Application IDs, the unique External IDs and External names are used to distinguish the service instances. External IDs are unique IDs assigned by the SSO for each service instance, while External names are manually assigned names in the SSO.
To help identify different instances, the External name is displayed below the name of the discovered SaaS item in the Discovery Inbox.
You can view the External ID by opening the sidepane overlay when clicking on a SaaS item. In the example below, the first discovery item appears to be a dedicated development instance, while the latter is the production instance. These instances can now be linked to two different Fact Sheets if necessary. Alternatively, if instances don't play a big role in your workspace, you can link them to the same Fact Sheet.
Note
The auto-link feature operates on a first-come, first-served basis. This means that when multiple SaaS instances share the same Application IDs, the first item that exactly matches the name of the fact sheet is linked. The matching is based on the External name.
Accessing SaaS Discovery Inbox from the Inventory
You can access the SaaS discovery inbox directly from the inventory by navigating to the right-hand side pane and selecting SaaS Discovery Inbox. By default, only admins can access it, but they can configure permissions to grant access to other roles. For more details, see Role-Based Permissions.
Updated about 21 hours ago