SaaS Discovery

SaaS Discovery identifies your organization's SaaS applications by integrating with SSO, SASE, and CASB solutions. It then updates and enriches Fact Sheets using the SaaS Catalog.

Overview

SaaS Discovery streamlines the process of identifying your organization's Software as a Service (SaaS) applications through seamless integrations with third-party systems like Single-Sign-on (SSO), Secure Access Simplified (SASE), and Cloud Access Security Broker (CASB) solutions. Once a new SaaS application is discovered, you can:

  • Automatically or manually link the discovered SaaS application to existing Application Fact Sheets or create new Fact Sheets and link them to the catalog item
  • Enrich existing or newly created Fact Sheets by automatically linking the discovered SaaS to the SaaS Catalog

Benefits

By leveraging SaaS Discovery, you get the following benefits:

  • Find all SaaS applications that are used in your organization.
  • Fully automate adding SaaS applications to LeanIX, ensuring your inventory stays up to date and complete.
  • Enrich existing Application Fact Sheets, including description, product category, SSO, and hosting information from the SaaS Catalog.
  • Detect multiple instances of the same SaaS in different SSOs and help you rationalize or manage portfolio better.
  • Eliminate shadow IT and business-managed IT.
  • Mitigate security and compliance risks.

📘

The SaaS Discovery feature in LeanIX Enterprise Architecture does not provide insight to cost, adoptions, utilization, contracts, and other SaaS specifics.

Role of the SaaS Catalog

When a discovered SaaS item is linked to an Application Fact Sheet, it also establishes a link between the Fact Sheet and the corresponding SaaS Catalog item. This occurs when:

  • An appropriate SaaS Catalog item exists for the Fact Sheet.
  • The Fact Sheet isn't already linked to the SaaS Catalog item.

Through this connection, information from the SaaS Catalog is automatically synced and updated on relevant Application Fact Sheets. To learn more, see SaaS Catalog.

Setting Up Integrations for SaaS Discovery

Continuous SaaS discovery relies on integrations with key SSO and CASB systems. These integrations allow LeanIX to identify and discover the SaaS applications used across your organization.

👍

Recommendation

Both integration categories, SSO and CASB, offer unique benefits. CASB systems can uncover shadow or business-managed IT, while SSO integrations provide more detailed information about discovered SaaS. Therefore, we recommend connecting at least one integration per category.

To set up integrations, follow these steps:

  1. From the settings, navigate to Administration > SaaS Discovery.
  2. Click Go to Saas Discovery. It opens Discovery Inbox page in a new tab.
  3. On the Discovery Inbox page, select the Integrations tab. The Integrations tab shows existing configured integrations.
  4. To add new integrations, click Add Integration, and choose from the available options by clicking Connect.
Adding SaaS Discovery Integration

Adding SaaS Discovery Integration

For setup details for the available integrations, see the following documents:

👍

Feel free to provide feedback on any integration you would like to see included. Visit the LeanIX Product Roadmap and click + Submit idea to share your suggestions.

Fixing Integration Issues with the Help of AI

AI supports SaaS Discovery with the following:

  • Error classification
  • Solution suggestions

Error Classification

Whenever an error from an integration occurs, AI classifies it into one of the following types:

  • User input error
  • System error
  • Internal error

This classification aids in determining the feasibility of error resolution. System errors are beyond control, however, for internal errors, LeanIX has proactive monitoring set up to enable prompt action when required.

Solution Suggestions

AI is used to suggest solutions for user input errors. For example, consider a situation where the error message is rather cryptic. With AI, this can be translated into a solution description that simplifies the issue resolution process, even for non-technical users.

The following image shows an example error message with an AI-generated solution suggestion.

Example Error Message with an AI-Generated Solution Suggestion

Example Error Message with an AI-Generated Solution Suggestion

Adding Discovered SaaS Applications to the Inventory

List of Discovered SaaS Applications

Once the integration is set up, SaaS applications are automatically discovered. Discovered Applications appear on the SaaS Discovery tab of the Discovery Inbox page. In the Discovery Inbox, you can link the discovered items to an existing Fact Sheet or create a new Fact Sheet to link to, edit linked connections, and perform other related actions.

List of Discovered SaaS Applications in the Discovery Inbox

List of Discovered SaaS Applications in the Discovery Inbox

You can find the following information in the Discovery Inbox:

  • Discovered Item: The name of the discovered SaaS application. Clicking the name provides additional details and actions to process the item.
  • Status: The status of linking a discovered application to a Fact Sheet.
    • Linked: The discovered application is already linked to a Fact Sheet. No further action is pending.
    • Action needed: The discovered application has not been linked yet and still needs to be processed.
    • Rejected: The discovered application was processed already but is not linked to a Fact Sheet.
  • Fact Sheet link:
    • For linked items: The name of the linked Fact Sheet.
    • For unlinked items: A recommendation of a matching Fact Sheet to link to, or a suggestion for creating a new Fact Sheet if no suitable matching Fact Sheet is found
  • Integration: Indicates which integration discovered the application.
  • Discovery date: The date when the application was discovered.
  • Action by: Lists who acted on the discovered application, including when the action was done.

Filtering and Searching Discovered SaaS Applications

You can filter discovered SaaS applications using the following parameters:

  • Status: Filter the list based on discovered application status - Linked, Action needed, or Rejected.
  • Integration: If you have multiple integrations configured, you can narrow down the discovered items based on one or multiple integrations.
  • Action by: Filter the list of applications based on particular users or the system who linked the discovered items to Fact Sheets.

You can also search for specific entries in the list in the search field below the filter.

Linking Discovered Applications to Fact Sheets

There are two ways to link discovered applications to Fact Sheets:

Automatic linking

Automatic linking takes place in the following cases:

  • The application’s name on the Fact Sheet identically matches with SaaS Discovery item (discovered SaaS application).
  • The Fact Sheet is already linked to a SaaS Catalog item corresponding to the SaaS Discovery item. To learn more on SaaS Catalog, see SaaS Catalog.

Manual linking

Discovered applications that are not automatically linked can be linked manually.
To manually link a discovered item, do the following:

  1. Click the name of the discovered item. This action opens an overlay where you can select the Fact Sheet you want to link to.

    Selecting the Fact Sheet To Link to the Discovered Item

    Selecting the Fact Sheet To Link to the Discovered Item


  2. In the Will be linked to Fact Sheet(s) and catalog section, hover over a fact sheet, then click Edit. Select or search the Fact Sheet you want to link to. While selecting, you can:

    1. Link to an existing Application Fact Sheet: The system suggests a matching Fact Sheet to link to when it identifies one in the workspace. Or, if there is a better alternative than the given suggestion, you can search/select the right application from the drop-down menu.
    2. Create and Link: If no suitable matching Fact Sheet is found, you get a recommendation to create a new Fact Sheet of the Application type.
    3. Link to IT Component/Provider Fact Sheets: You can also link the discovered item to an existing IT Component or Provider Fact Sheet, by searching/selecting the right Fact Sheet from the drop-down menu.
  3. Click Link to finish establishing the link.

Modifying the Established Link

You can modify the link between the discovered item and the linked Fact Sheet if it was linked inadvertently or if a better alternative exists.

To modify the link, do the following:

  1. Click the name of the discovered item. This action opens an overlay where you can select the Fact Sheet you want to link to.
  2. Hover over the linked fact sheet, click Edit, then select or search for the Fact Sheet you want to relink to.
  3. Click Link to finish reestablishing the link.

When you modify the link between the Fact Sheet and the discovered SaaS item, the connected SaaS Catalog item also automatically updates to the appropriate one. You can view the details of the catalog link in the Catalog link section.

SaaS Catalog links are not editable here. To learn how to change the linked SaaS Catalog item, see Changing Fact Sheet link to a Different SaaS Catalog Item.

Detecting Multiple Instances of SaaS

SaaS Discovery detects multiple instances of the same SaaS across different SSO systems. Currently it is supported for Entra ID and Okta.

Multiple instances of SaaS are often used to support regional requirements, to separate data of different legal entities of the same company, or facilitate the use of test systems alongside production systems. Also, in situations like mergers and acquisitions, managing multiple instances becomes crucial. Therefore, identifying these instances is important for Enterprise Architects, as knowing about their existence can influence application rationalization efforts.

LeanIX SaaS Discovery identifies SaaS instances by examining Application IDs, External IDs, and External names used in the SSOs. When multiple SaaS instances share the same Application IDs, the unique External IDs and External names are used to distinguish the service instances. External IDs are unique IDs assigned by the SSO for each service instance, while External names are manually assigned names in the SSO.

To help identify different instances, the External name is displayed below the name of the discovered SaaS item in the Discovery Inbox.

Multiple Instances of Same SaaS Listed in Discovery Inbox

Multiple Instances of Same SaaS Listed in Discovery Inbox

You can view the External ID by opening the sidepane overlay when clicking on a SaaS item. In the example below, the first discovery item appears to be a dedicated development instance, while the latter is the production instance. These instances can now be linked to two different Fact Sheets if necessary. Alternatively, if instances don't play a big role in your workspace, you can link them to the same Fact Sheet.

Discovered SaaS Item’s Detail Showing External ID

Discovered SaaS Item’s Detail Showing External ID

Discovered SaaS Item’s Detail Showing External ID

Discovered SaaS Item’s Detail Showing External ID

📘

Note

The auto-link feature operates on a first-come, first-served basis. This means that when multiple SaaS instances share the same Application IDs, the first item that exactly matches the name of the fact sheet is linked. The matching is based on the External name.