Overview
Self-service SSO does not show any option for the user to configure home realm discovery domains when creating a SAML connection. This article provides more details.
Applies To
- Self-service Single Sign-On (SSO)
- SAML
- Home realm discovery (HRD)
Solution
This is intentional, as an email domain should not be associated with home-realm discovery unless it is 100% certain the customer owns the domain. Domain ownership should be verified.
An attack could set self-serve SSO with a public domain provider such as gmail.com and force users to log in via that SSO connection. It could also claim the domain of an existing customer who has yet to set up SSO and prevent them from accessing the service.
If customers need to configure home-realm discovery, ownership of the domain should first be verified. Then, the management API can be used to update the connection’s home-realm discovery domains via the options.domain_aliases attribute.