Limit Google CFA Access

Hey there, I setup Google (not workspace) as an identity provider following the instructions in the documentation and I setup an access control for allowed emails. When I tested my connection I seem to be able to login with any email but this doesn't apply to other identity providers last i checked. Is there anything i need to turn on or modify to make it work
25 Replies
Chaika
Chaika4mo ago
What's your policy look like?
Chaika
Chaika4mo ago
You mean you added one time pin as an option or what exactly do you mean? All you should need is an allow policy only allowing specific emails, and as long as you don't have any other policies, only included emails would pass
4d62
4d62OP4mo ago
yea I set the one time pin and the issue fixed itself. I know its weird. let me try to delete the one time pin and check again ok so. I can't login on app launcher but I can login on apps even if I use the access policy which restricts email
Chaika
Chaika4mo ago
hmm, what does your application look like? Just a single allow policy? You don't have automatic auth and WARP on, for example, right?
4d62
4d62OP4mo ago
no the application is just an openid integration and the theres just one access policy yea. Automatic auth and warp are not turned on
Chaika
Chaika4mo ago
you're not using the normal google identity provider, you're using osme custom openid one instead?
4d62
4d62OP4mo ago
i must have misread. no im using the default google identity provider from the google cloud console
Chaika
Chaika4mo ago
oh, well yea for self-hosted applications if all you have is a single allow policy with includes, have to match at least one of the includes to be allowed in. If you're saying that is the case would be helpful to have some screenshots of your exact config
4d62
4d62OP4mo ago
yea lemme post some
4d62
4d62OP4mo ago
@Chaika
No description
No description
No description
4d62
4d62OP4mo ago
(doesnt affect SAAS apps only selfhosted)
Chaika
Chaika4mo ago
and so in that policy, you just have the access group, and that access group is set as Include and has Include: Emails inside of it?
4d62
4d62OP4mo ago
yea just this
No description
Chaika
Chaika4mo ago
are those domains or emails? If domains there's a proper Emails Ending In selector
4d62
4d62OP4mo ago
yea its emails
Chaika
Chaika4mo ago
ah ok, are you fine with me testing that policy externally then? That all looks pretty sane to me
4d62
4d62OP4mo ago
uhh sure if you want
Chaika
Chaika4mo ago
it didn't let me in
No description
Chaika
Chaika4mo ago
(that's what I would expect)
4d62
4d62OP4mo ago
... uhhhhhhhhhhhhh well thanks for ur time ig
Chaika
Chaika4mo ago
were you doing something in specific to test if it was letting you in? Just to throw something out there that's tricked me a few times -- if you're using Firefox temp containers that for specific domains they make the access flows weird (well, you try to login, and then no matter what you pick since you return with the container you have an access cookie and then are allowed in)
4d62
4d62OP4mo ago
wdym firefox temp containers like workspaces
Chaika
Chaika4mo ago
Firefox multi-Account containers if you don't know what they are, you're probably not using them lol, you'd know
4d62
4d62OP4mo ago
yea im not lol well ig its fixed until someone manages to access the few apps i have exposed externally im trying to make cfa permanent again because i switched to authentik as primary authn for a while and its disappointing and I want an easy switch incase
Want results from more Discord servers?
Add your server