Check if user is revoked/locked before authenticating with SSO

forumfred · February 15, 2023, 9:05pm

Hi

I have noticed that locked/revoked users are automatically “unlocked” if they log in through SSO.

So, I want to know what is the best or easiest way to not allow that to happen. Basically, I don’t want locked/revoked users to be allowed back into my App through SSO

tielman · February 15, 2023, 9:12pm

Hi Fred

You are correct. By default the system assumes that if an end user can authenticate against their IDP via SSO then that user should have access to the app and as such the IDP App User task does this by default in that executing context.authorized(user) would both enroll and unlock the user passed into the function (this behavior is by design so as to delegate the authorization for the app to the federated IDP, for example if the user is locked in AD then they won’t be able to log into the app via SSO).

However, it is pretty easy to update your idp_app_user_task to check if the user has been locked before allowing them into the app. Below is a pretty standard implementation of the ipd_app_user_task updated to accomplishes this. It uses the sessions API to review the locked status of the user before allowing them into the application

export async function extractIdentity({claims, context}) {
    console.log(`Claims: ${JSON.stringify(claims)}`);    
    let claimsEmail = claims.info.email ? claims.info.email : claims.uid;

    claimsEmail = claimsEmail.toLowerCase();
    console.log(`Claims email: ${claimsEmail}`);
    let user = await DB.user.first("email = ?", claimsEmail);

    if (!user) {
        console.log('No user found, creating a new one');
        user = DB.user.create();
        user.email = claimsEmail;
        user.name = claims.info.name ? claims.info.name : `${claims.info.first_name} ${claims.info.last_name}`;
        await user.save();
    } else {
        console.log(`User found, ID: ${user.id}, checking if user is revoked`);
        // check if user is revoked
        const options = {
            method: 'GET',
            headers: {
                'Authorization': `Bearer ${this.backend.token}`
            }
        }

        console.log('About to query sessions api');
        let response = await fetch(`${this.backend.url}/users/${user.id}`, options);

        if (response.ok) {
            let userSessionData = await response.json();
            if (userSessionData.locked) {
                console.log('User locked');
                return context.unauthorized({message: 'Access Denied - Account Locked'});
            }
        }
    }

    console.log('Responding with authorized');
    // This line of code enrolls the user, but would also unlock the user if they were previously locked/revoked
    return context.authorized(user);

Topic		Replies	Views
How to Revoke users? General Q&A user	1	337	July 25, 2022
Check existing enrollment session with SSO Login General Q&A	1	510	June 24, 2020
How can I force users to re-authenticate? General Q&A user-enrollment , authentication	1	501	October 24, 2019
SSO Guide Guides user-enrollment , sso	0	498	August 2, 2021
User Usage Reporting General Q&A	4	590	April 23, 2021

Check if user is revoked/locked before authenticating with SSO

Related Topics