SSO Only Allowing Sign on if Your email is already linked to an account
0
Within Mendix 10.6.5, I have created an app that uses single sign-on (SSO). Currently, it works as intended when an account already exists: users are logged in directly to the correct account. However, I’m facing an issue where anyone can log in using any email, even if there is no corresponding account in the system. While I can set a default user role to manage this slightly, I want to prevent unauthorized access entirely. Instead, users without existing accounts should be redirected to the login page. Does anyone know how I can achieve this or where to start? Here are additional details that might help: I’ve already tried disabling the feature that allows users to be auto-configured, but this caused errors to occur. Specifically: User Lookup Failure: The system attempts to find a user in the Mendix database using the email provided by the SSO, but no matching account is found. Automatic User Provisioning Issue: The CreateUserRecord action fails because the system is not permitted to create new user records (as per the desired configuration). SSO Configuration Conflict: The SSO setup currently expects user creation to be allowed but needs to be configured to restrict access to existing accounts only. These errors result in the application breaking and redirecting users to an unhelpful error page, which is not ideal. Any guidance would be appreciated! The error page: The app configuration with the user : Microflow that seem most crucial:
asked
Matthew Mooney
2 answers
0
It might be me, but if you do not allow any user provisioning and the user can not be found in the app but is a known user of the IdP you just get the message that the SAML was valid but that no user account could be found and you should contact your administrator.
And to be able to log in with any email address I find strange. Are you sure your SAML setup is working ok? And did you make sure that no user could log in through the login.html? Because if users could log in before the SAML setup was done and the login,html is still available they still could login and not use the SAML setup at all. You should always reset passwords in that case so that users only can log in through SAML.
Regards,
Ronald
Regards,
Ronald
answered
Ronald Catersels
0
Do I understand correctly:
- users that do not have an account yet should not have any access
- you've disabled the Just-in_time user provisioning
Your expectation:
- user gets redirected to login-screen of IdP (so he could login with a different account)