-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Prevent users with associated home IdP to change credentials #264
Comments
We provision our third-party IDPs in such way that a special role is associated to the user when they sign in. We then deny the authentication user username and password if the user has this role set. |
Hello @toddkazakov, can you elaborate on how to achieve this flow ? |
@LucasVanHaaren in the IDP settings I have added a mapper which assigns "brokered" role. In the login flow I then check if the user has this role and deny access if that's the case. |
I finally managed to do it (I think and hope there is no side-effect), but my authentication flow is now kinda complex. I tried to do only with one condition but local login was refused each time (with role brokered or not) UPDATE : sorry for the inconvenience, I finally reached my goal with a simpler authentication flow ! |
I think this feature should be expended to not only prevent login via credentials but also to prevent login via other identity providers that are not tied to the domain. e.g. I want marc@company.com to use the IdP tied to company.com, but I want julia@google.com to be able to login via Google.
Cool solution, but the user needs to login once with the special IdP to get the role, that might not be the case everywhere. I think we need:
flowchart LR
subgraph browser-flow
social-login(["social login (maybe not shown)"]) -->|domain-matches-idp| corpo-idp-login
social-login -->|no-match| logged-in
enter-email -->|domain-matches-idp| corpo-idp-login
corpo-idp-login --> logged-in
enter-email -->|no-match| social-or-password-login
social-or-password-login --> logged-in
end
subgraph direct-grant-flow
give-email-password --> domain-matches-idp
domain-matches-idp -->|yes|reject
domain-matches-idp -->|no|OK
end
|
Is there an existing feature request for this?
Is your feature related to a problem? Please describe.
Assume a user has a home IdP associated either via configured domain per IdP or an IdP with associated email is linked to user's account. In such a scenario users may not need credentials, because they are authenticated by the home IdP. In these scenarios it may be benefical to prohibt resetting credentials for users to prevent them from logging in locally.
Note that users without a home IdP that have a local account should still be able to reset credentials.
Describe the solution you'd like
I see two options here:
I think this still needs more clarification on what is needed (prevent password reset or prevent login with local account).
Describe alternatives you've considered
No response
Anything else?
See also:
The text was updated successfully, but these errors were encountered: