Limit Google CFA Access
Hey there, I setup Google (not workspace) as an identity provider following the instructions in the documentation and I setup an access control for allowed emails. When I tested my connection I seem to be able to login with any email but this doesn't apply to other identity providers last i checked. Is there anything i need to turn on or modify to make it work
25 Replies
What's your policy look like?
Hey, thanks for the answer. I think i half figured it out in https://ptb.discord.com/channels/595317990191398933/909458221419356210/1281745345327398962
This seemed to solve the issue https://ptb.discord.com/channels/595317990191398933/909458221419356210/1281746588129034271
You mean you added one time pin as an option or what exactly do you mean? All you should need is an allow policy only allowing specific emails, and as long as you don't have any other policies, only included emails would pass
yea I set the one time pin and the issue fixed itself. I know its weird. let me try to delete the one time pin and check again
ok so. I can't login on app launcher but I can login on apps even if I use the access policy which restricts email
hmm, what does your application look like? Just a single allow policy? You don't have automatic auth and WARP on, for example, right?
no the application is just an openid integration and the theres just one access policy yea. Automatic auth and warp are not turned on
you're not using the normal google identity provider, you're using osme custom openid one instead?
i must have misread. no im using the default google identity provider
from the google cloud console
oh, well yea for self-hosted applications if all you have is a single allow policy with includes, have to match at least one of the includes to be allowed in. If you're saying that is the case would be helpful to have some screenshots of your exact config
yea lemme post some
@Chaika
(doesnt affect SAAS apps only selfhosted)
and so in that policy, you just have the access group, and that access group is set as
Include and has Include: Emails inside of it?yea just this
are those domains or emails?
If domains there's a proper
Emails Ending In selector