Account Approve/Deny Workflow

Approve or Deny User's ability to authenticate with KSM using SSO

In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.

Configuring the KCM user creation workflow

To require approval for users signing in with a particular authentication method, use the require-account-approval property (or, for Docker, the REQUIRE_ACCOUNT_APPROVAL environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:

Authentication Method

Name

Encrypted JSON

json

LDAP

ldap

OpenID

openid

SAML

saml

SSL/TLS Client Authentication (PIV/CAC)

ssl

For example, to require administrator approval for SAML and LDAP, you would specify:

require-account-approval: saml, ldap

The following examples shows a docker.yaml file with the SAML Authentication method enabled:

 guacamole:
        image: keeper/guacamole:2
        restart: unless-stopped
        environment:
            ACCEPT_EULA: "Y"
            GUACD_HOSTNAME: "guacd"
            SSL_PRIMARY_URI: "https://kcm.example.net"
            SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
            SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
            POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
            REQUIRE_ACCOUNT_APPROVAL: "saml"

Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the logic screen of the application. In the following image, the instance has been configured to use the saml authentication method:

Login Screen for SAML Authentication

Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:

Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:

Last updated