Limiting Access to Certain SSO Apps

Q: I want to implement single sign-on (SSO) across multiple apps, but with the ability to enable and disable which apps users are allowed to login to. How do you suggest I implement this?


A: The answer is in two parts: Where to verify access for each app, and Where to store the data to verify against.

First, verifying access: the best place to do this would be the login handler for each app (where we handoff the logins to you). At this stage, you’ll be validating a login token anyway and it’d make sense to validate the user’s rights to that app at the same time. If it fails, it’s also a prime opportunity to communicate why and where to go or who to ask about enabling access.

Second, storing the access data. There are a couple of options here.
a) Store the apps as permissions attached to a Membership record. eg: app:appname1 and app:appname2. Pros: works with JWT login token validation (with extended token data enabled) and can be different for each Membership if the User belongs to multiple Orgs.
b) Store the valid apps using a custom attribute on the User or Org. Pros: is effectively “all orgs for one user” or “all users for one org” if that kind of breadth matches what you’re wanting to do.

Tagged with: sso login handler permissions

Questions? Find a Typo? Get in touch.