Account Approve/Deny Workflow
Approve or Deny User's ability to authenticate with KSM using SSO
In an environment where KCM users may be automatically created from an SSO system, such as SAML or OpenID or PIV/CAC, administrators may wish to more tightly control whether those users are allows to use KCM. To facilitate this, KCM provides administrators an approve/deny workflow to decide whether an individual user should be allowed to authenticate with KCM using that SSO method.
To require approval for users signing in with a particular authentication method, use the
require-account-approval
property (or, for Docker, the REQUIRE_ACCOUNT_APPROVAL
environment variable). This property accepts a comma-separated list of the names of all authentication methods that should require administrator approval. KCM supports the following authentication types:Authentication Method | Name |
Encrypted JSON | json |
LDAP | ldap |
OpenID | openid |
SAML | saml |
SSL/TLS Client Authentication (PIV/CAC) | ssl |
For example, to require administrator approval for SAML and LDAP, you would specify:
require-account-approval: saml, ldap
The following examples shows a
docker.yaml
file with the SAML Authentication method enabled: guacamole:
image: keeper/guacamole:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
GUACD_HOSTNAME: "guacd"
SSL_PRIMARY_URI: "https://kcm.example.net"
SSL_CLIENT_AUTH_URI: "https://*.kcm.example.net"
SSL_SUBJECT_BASE_DN: "ou=test department,o=u.s. government,c=us"
POSTGRESQL_AUTO_CREATE_ACCOUNTS: "true"
REQUIRE_ACCOUNT_APPROVAL: "saml"
Once you have successfully configured and setup the authentication method, the corresponding SSO login method will be displayed on the logic screen of the application. In the following image, the instance has been configured to use the
saml
authentication method:
Login Screen for SAML Authentication
Users with at least one authentication method that needs to be approved or denied will be shown in the user list with a “Pending Login Request” badge next to their username:

Administrators can approve/deny access for that user via that authentication method by editing the user account in KCM:

Last modified 5mo ago