SaaS Discovery

Overview

SaaS discovery identifies your organization's Software as a Service (SaaS) applications through integrations with third-party systems like Single-Sign-on (SSO), Secure Access Simplified (SASE), and Cloud Access Security Broker (CASB) solutions. Once a new SaaS application is discovered, you can:

• Automatically or manually link the discovered SaaS application to existing application fact sheets or create new fact sheets and link them to the catalog item
• Enrich existing or newly created fact sheets by automatically linking the discovered SaaS to the reference catalog

The SaaS discovery feature integrates with third-party systems via APIs. To set up these integrations, you need to provide credentials with appropriate permissions for those systems. You can find detailed instructions for setting up each available integration in Setting Up Integrations for SaaS Discovery. Once an integration is set up, SAP LeanIX verifies the credentials and retrieves information about your organization’s applications, usually twice a day.

🚧

Note

Since the SaaS discovery feature operates through integration with third-party systems, applications that are not from the application gallery but are developed or registered by the organization itself in their application landscape are not discovered.

Benefits

• Find all SaaS applications that are used in your organization.
• Fully automate adding SaaS applications to SAP LeanIX, ensuring your inventory stays up to date and complete.
• Enrich existing application fact sheets with information from the reference catalog, including description, product category, SSO, and hosting.
• Detect multiple instances of the same SaaS in different SSOs and rationalize or manage portfolios better.
• Eliminate shadow IT and business-managed IT.
• Mitigate security and compliance risks.

📘

Note

The SaaS discovery feature in SAP LeanIX does not provide insight into cost, adoptions, contracts, and other SaaS specifics.

Role of the Reference Catalog

When a discovered SaaS item is linked to an application fact sheet, it also establishes a link between the fact sheet and the corresponding item in the SAP LeanIX reference catalog. This occurs when:

• An appropriate reference catalog item exists for that fact sheet
• The fact sheet isn't already linked to the reference catalog item

Through this connection, information from the reference catalog is automatically synced and updated on relevant application fact sheets. To learn more, see Applications in the Reference Catalog.

Setting Up Integrations for SaaS Discovery

Currently, integration is possible with the following SSO, CASB, and SASE systems:

• Microsoft Defender for Cloud Apps (MDCA)
• Microsoft Entra ID (formerly Azure Active Directory)
• Netskope
• Okta
• Zscaler

To access the setup for these integrations, follow these steps:

1. In the Administration area, select Integrations.
2. Click Add integrations. All available integrations are shown on the resulting page.
3. Click Configure on the needed integration.

For setup details, refer to the respective integration guides.

📘

Note

We welcome your suggestions for additional integrations you'd like to see in the SAP LeanIX Product Roadmap.

👍

Tip

• Both integration categories, SSO and CASB, offer unique benefits. CASB systems can uncover shadow or business-managed IT, while SSO integrations provide more detailed information about discovered SaaS. Therefore, we recommend connecting at least one integration per category.
• Discovered SaaS applications are automatically linked to their corresponding fact sheets. If you prefer to manually review and link them, deactivate automatic linking in the discovery inbox settings before setting up the integrations. For more details, see Automatic Linking.

Status of the Integration

After adding an integration, you can view it in the Integrations section of the workspace administration area. The tile displays the integration's status, indicating whether it’s active or if there’s an error. If there are multiple instances of the same integration, you’ll see the number of instances and the status of the most critical one shown on the tile. For example, if even one instance has an error, the tile shows an error status.

Viewing Synchronization Logs for Integration Runs

SaaS Discovery provides two types of synchronization logs:

• Credentials check: Every 12 hours, the system checks the validity of the integration credentials and confirms the necessary permissions to request the needed data.
• Application discovery: Every 12 hours, the system pulls data from the integrated systems.

You can view details on integration runs in the Sync Logging section of the administration area. By using synchronization logs, you can promptly identify any issues with the integration and view details on each failed integration run. For more information on synchronization logs, see Synchronization Logging.

Fixing Integration Issues with SAP LeanIX AI Capabilities

SaaS discovery leverages AI to classify integration errors and suggest solutions for user input errors. Whenever an error from an integration occurs, it is classified into one of the following types:

• User input error
• System error
• Internal error

This classification helps you determine if resolving the error is feasible. While system errors are beyond your control, for internal errors, SAP LeanIX has proactive monitoring set up to enable prompt action when required.

AI capability is also used to suggest solutions for user input errors. For instance, when an error message is technical and rather cryptic, AI translates it into a clear solution description. This simplification makes the issue resolution process easier, even for non-technical users.

Linking Discovered Items to the Fact Sheets

Once an integration is successfully set up, the discovered SaaS applications are listed in the SaaS Discovery Inbox. In the inbox, you can review the discovered items and link them to existing fact sheets or create and link new fact sheets. To learn more, see SaaS Discovery Inbox.

Detecting Multiple Instances of SaaS

SaaS Discovery detects multiple instances of the same SaaS across different SSO systems. Currently, it is supported for Entra ID and Okta integrations.

Multiple instances of SaaS are often used to support regional requirements, to separate data of different legal entities of the same company, or to facilitate the use of test systems alongside production systems. Also, in situations like mergers and acquisitions, managing multiple instances becomes crucial. Therefore, identifying these instances is important for Enterprise Architects, as knowing about their existence can influence application rationalization efforts.

SAP LeanIX SaaS discovery identifies SaaS instances by examining Application IDs, External IDs, and External names used in the SSOs. When multiple SaaS instances share the same application IDs, the unique external IDs and external names are used to distinguish the service instances. External IDs are unique IDs assigned by the SSO for each service instance, while external names are manually assigned names in the SSO.

To help identify different instances, the external name is displayed below the name of the discovered SaaS item in the SaaS discovery inbox.

You can view the external ID by opening the side panel when clicking on a SaaS item. In the example below, the first discovery item appears to be a dedicated development instance, while the latter is the production instance. These instances can now be linked to two different fact sheets if necessary. Alternatively, if instances don't play a big role in your workspace, you can link them to the same fact sheet.

📘

Note

The auto-link feature operates on a first-come, first-served basis. This means when multiple SaaS instances have the same application IDs, the first item that exactly matches with the name of the fact sheet is linked. The matching is based on the external name.