Access policies

Owned by Lars Olav Velle (Unlicensed)
Last updated: Mar 16, 2022 by Eirik Bjørsnøs
2 min read

Overview

This article describes how administrators can configure an access policy to limit which users can log in using a SAML provider. Access policies helps making sure that users are logged in with the right provider and improves security by restricting which users a provider is allowed to log in.

The access policy is located in the Settings section of the SAML provider configuration.

Motivation

In the simplest deployment of SAML SSO, the application is configured with a single SAML identity provider and all users should log in using the same provider. In these simple cases, there is often no need to restrict access to the provider.

In practice, deployments are often more complex:

  • You may want some internal admin accounts to continue logging in with username and password and not be redirected to SAML SSO
  • Your application has two or more SAML providers configured, and you want different users to log in using different providers
  • A SAML provider is logging in users from a another organization, and you want to restrict which users this external provider should be trusted to log in

For these types of scenarios, it is useful to restrict access to the provider using the access policy.

Restriction types

Access to a SAML provider may be restricted based on the user directory of the user logging in, the username of the user, or the network location the user is logging in from. By default, the access policy allows any user access to the provider. All configured restrictions must be satisfied for a policy to allow access.

The following example shows an access policy which restricts access by requiring that:

  • The user's account must be in the 'Active Directory example.local' user directory
  • The username of the user must end with '@example.com'
  • The user must be logging in from the 'Office' network zone

Evaluation

Access policies are evaluated two times during login. When a user enters a username to log in, the policy is consulted to determine which providers (if any) the user should be offered to log in with. When returning from the SAML provider, the policy is consulted again to make sure that the user is actually allowed to log in with the provider. 

Rejected logins

Normally, users are only only offered to log in using SAML after entering their username, or when using automatic redirection. If the user is trying to log in using IDP-initiated login or clicking on a link somewhere, then they will see an error message informing them that the access policy does not allow them to log in. Here's an example of the message given when a user is trying to log in from a network location that is not allowed.

Learn more