Limit Google CFA Access
Hey there, I setup Google (not workspace) as an identity provider following the instructions in the documentation and I setup an access control for allowed emails. When I tested my connection I seem to be able to login with any email but this doesn't apply to other identity providers last i checked. Is there anything i need to turn on or modify to make it work
25 Replies
What's your policy look like?
Hey, thanks for the answer. I think i half figured it out in https://ptb.discord.com/channels/595317990191398933/909458221419356210/1281745345327398962
This seemed to solve the issue https://ptb.discord.com/channels/595317990191398933/909458221419356210/1281746588129034271
You mean you added one time pin as an option or what exactly do you mean? All you should need is an allow policy only allowing specific emails, and as long as you don't have any other policies, only included emails would pass
yea I set the one time pin and the issue fixed itself. I know its weird. let me try to delete the one time pin and check again
ok so. I can't login on app launcher but I can login on apps even if I use the access policy which restricts email
hmm, what does your application look like? Just a single allow policy? You don't have automatic auth and WARP on, for example, right?
no the application is just an openid integration and the theres just one access policy yea. Automatic auth and warp are not turned on
you're not using the normal google identity provider, you're using osme custom openid one instead?
i must have misread. no im using the default google identity provider
from the google cloud console
oh, well yea for self-hosted applications if all you have is a single allow policy with includes, have to match at least one of the includes to be allowed in. If you're saying that is the case would be helpful to have some screenshots of your exact config
yea lemme post some
@Chaika
(doesnt affect SAAS apps only selfhosted)
and so in that policy, you just have the access group, and that access group is set as
Include and has Include: Emails inside of it?yea just this
are those domains or emails?
If domains there's a proper
Emails Ending In selectoryea its emails
ah ok, are you fine with me testing that policy externally then? That all looks pretty sane to me
uhh sure if you want
it didn't let me in
(that's what I would expect)
...
uhhhhhhhhhhhhh
well thanks for ur time ig
were you doing something in specific to test if it was letting you in? Just to throw something out there that's tricked me a few times -- if you're using Firefox temp containers that for specific domains they make the access flows weird (well, you try to login, and then no matter what you pick since you return with the container you have an access cookie and then are allowed in)
wdym firefox temp containers
like workspaces
Firefox multi-Account containers
if you don't know what they are, you're probably not using them lol, you'd know
yea im not lol
well ig its fixed until someone manages to access the few apps i have exposed externally
im trying to make cfa permanent again because i switched to authentik as primary authn for a while and its disappointing and I want an easy switch incase