Quick Tip for SSO Login
Login condition attributes refer to the characteristics or conditions associated with a user's identity that are utilized by an SP (Service Provider), such as Ideascale, to make access control decisions when a user attempts to access its resources or services through Single Sign-On (SSO). These attributes are instrumental in determining whether a user should be granted access to a specific application or service provided by the SP. The configuration of these attributes is an integral part of the SSO setup.
It's important to note that login condition attributes cannot be applied universally, but must be configured as per IDP (Identity Provider) configuration within your SSO settings. To access and configure login condition attributes, follow these steps:
-
Navigate to Community settings.
-
Select Security.
-
Go to Single Sign-On Settings.
-
Choose Login Condition Attributes.
The configuration of login condition attributes involves two key settings within the SSO section:
Attribute Name: This designates the attribute you wish to attach a login condition to, such as Email, Username, or any other attribute transmitted from your IDP.
Attribute Value: This entails defining a regular expression or wildcard expression that dictates how you want to limit the above attribute. For instance, you may want to restrict users based on specific departments within an organization.
Here's an illustrative example:
Consider an organization that aims to block users with an email prefix of "atp." and an email domain of "ideascale.com" (e.g., atp.ideascaleuser@ideascale.com). In this scenario, you would:
Define the Attribute Name as the IDP attribute associated with email. Depending on the IDP this attribute can be expressed differently, but you can usually find the way it comes over from looking in the SSO debugger log, in the case of Azure AD they look like this.
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
Create a Regular Expression (RegEx) that blocks users with the "atp." prefix and the email domain "ideascale.com" (e.g., ^(?!atp.[\w.-]+@ideascale.com).*$).
By configuring these login condition attributes, you can effectively customize access controls within your SSO environment, enhancing security and tailoring access based on specific conditions and criteria.
Look Into Other SSO Articles