I have multiple organizations and multiple applications all within one tenant.
I am trying to only allow certain organization to access certain apps.
I can’t find a way to do so, is it possible?
Hi @eric.krief, application entitlement can be achieved using a Post-Login Action.
You can see the organization parameters that are exposed in the event object when an end-user is logging in with an Organization here: Actions Triggers: post-login - Event Object.
You could use a list of Organization IDs to gate access, or use organization metadata for a more maintainable approach… I added an example starting point below.
/**
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
if (event.client.name === "Protected App") {
if !(event.organization && event.organization.metadata && event.organization.metadata["subscription"] === "paid")
api.access.deny("Access to this application requires a paid subscription.");
}
}
};
Hi Adam, thanks for the quick reply!
Would you consider this approach secure?
Hi @eric.krief,
I can tell you that (at the time of writing this) the only time the organization
object will be present on the event is when:
- An end-user has successfully authenticated with a connection that is enabled for the provided organization and
- The end-user is either a member of the organization or the
enabled_connection
has auto-membership defined.
“Secure” depends on a lot of factors so I recommend taking a holistic approach to defining what is and isn’t acceptable for your use-case, and also taking a look at our docs: Secure.
Thank you Adam for helping us on this front!