Access Control Based on Authentication Method
Overview
We are adding a new feature that will allow administrators to specify the specific method of authentication (such as Microsoft Online SSO) to use in order to access Customer Projects.
Who does this affect?
This change will affect administrators who want to restrict their users to using a specified authentication method over the current choice of email/password or SSO options including Google and Microsoft. Note that these policies may only be configured using Alloy Forge so please contact the Support Team to change the way in which users access your project.
Details
This change has introduced a new concept called "Customer Security Policy". In simple terms, this is an object contained in the Customer document that is meant to include information about customer choices in terms of security related "settings".
Currently the security policy only includes the accepted authentication method property. If set, a user can only create a customer session for a specific customer if that session is created through one of the accepted authentication methods. Normally a customer session is created by switching a master session to a customer session. This means the master session will need to have been created through one of the accepted authentication methods.
If the user utilises an authentication method not on the accepted list, an error message will be presented and the user returned to the logon screen to retry.
The security policies may be set using the following Forge endpoints:
GET api/customer/{id}/security-policy
- Gets the customer security policy for a specific customer
* PUT api/customer/{id}/security-policy
- Edits the customer security policy for a specific customer
Expected Release Date
13th January 2022