Approve or Deny User's ability to authenticate with KSM using SSO
In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.
To require approval for users signing in with a particular authentication method, use the require-account-approval
property (or, for Docker, the REQUIRE_ACCOUNT_APPROVAL
environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:
Authentication Method
Name
Encrypted JSON
json
LDAP
ldap
OpenID
openid
SAML
saml
SSL/TLS Client Authentication (PIV/CAC)
ssl
For example, to require administrator approval for SAML and LDAP, you would specify:
The following examples shows a docker.yaml
file with the SAML Authentication method enabled:
Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the logic screen of the application. In the following image, the instance has been configured to use the saml
authentication method:
Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:
Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM: