Group based authorization
The Pointsharp IdP Group Authorization Authenticator is a post-login authenticator for SAML flows in Pointsharp IdP.
Its main function is to enforce group-based authorization: only users who are members of allowed groups (and not members of denied groups) can proceed. This allows for group-based authorization directly in the IdP, instead of leaving the task to the service provider.
If a user is denied, a customizable "access denied" page or "redirect" is shown, with support for custom messages and links.
Features
-
Fine-grained group logic: Supports both allowed and denied groups, with denied groups always taking precedence. Allows wildcards (for example: finance*, admin*) for flexible group matching. This enables precise and flexible access control, based on group membership patterns.
-
Customizable user experience: Provides a customizable "access denied" page, including heading, message, support link, and optional redirect for denied users. This provides user-friendly error pages and custom messaging for a better end-user experience.
-
Centralized, reusable logic: All group-based authorization logic is encapsulated in a single authenticator, making it easier to configure, audit, and maintain.
Configuration options
Group-based authorization
- allowedGroups
-
-
Comma-separated list of allowed group names or wildcard patterns (for example: finance*,admin*).
-
If set, the user must be a member of at least one allowed group to proceed.
-
Wildcards (*) match any group name that starts with the given pattern.
-
- deniedGroups
-
-
Comma-separated list of denied group names or wildcard patterns (for example: test*,blocked*).
-
If the user is a member of any denied group, access is denied (even if also in an allowed group).
-
Wildcards (*) match any group name that starts with the given pattern.
-
Customizable error page
- messageHeading
-
-
The heading/title displayed on the access denied page.
Example: Access Denied
-
- messageText
-
-
The main message shown to the user on the denied page.
Example: You do not have access to this application
-
- messageURL
-
-
An optional link (URL) shown on the denied page (referring to, for example, a helpdesk or documentation).
Example: https://support.example.com/access-issues
-
- redirectUsers
-
-
If set to a URL, denied users are redirected to this URL instead of seeing the denied page.
-
How to add the Authenticator to a Flow in Pointsharp IdP
Authentication flows define how users authenticate, while authentication context configuration in client scopes defines how the authentication result is expressed as ACR values.
-
Log in to the Pointsharp IdP Admin GUI.
-
Select the realm you want to configure.
-
Go to Authentication > Flows.
-
Create a new flow or copy an existing one.
-
In your flow, click Add execution / Add step after the user authentication step.
-
Add an authenticator (for example Group Authorization) to the authentication flow, and set its requirement level.
-
Save the flow.
-
Go to Client > (select client) > Advanced > Authentication Flow Overrides.
-
Select your customized flow to be used by this client, and save.
-
In the flow, click the config gear next to your authenticator step and set the configuration options as needed.
Example configurations
Allow only specific groups, deny none
allowedGroups: HR,IT,Finance deniedGroups:
Only users in the "HR", "IT", or "Finance" groups are allowed.
Allow only sales* and marketing* groups
allowedGroups: Sales*,Marketing* deniedGroups:
Only users in groups starting with "Sales" or "Marketing" are allowed. All others are denied.
| If both allowedGroups and deniedGroups are empty, all users are allowed. |
Deny External* and Blocked* groups, allow all others
allowedGroups: deniedGroups: External*,Blocked*
Any user in a group starting with "External" or "Blocked" is denied, regardless of other group memberships. All others are allowed.
| Denied groups always take precedence over allowed groups. |