SSO Authorization

SSO Authorization

All applications are subject to the default authorization policy, see below. You can also opt to create a custom, coarse grained authorization policy. You can opt-out of default authorization if your application provides its own authorization logic.  Find out more about the SSO registration process. See the bottom of this page for examples.

The intent of SSO authorization is to ensure that all campus services are providing some level of authorization, and configures a CalNet default authorization if they are not.

Default Authorization Policy

The default authorization policy applies to all new SSO Service Registrations.  

The current makeup of the Default Authorization group is:

  • All SPA UIDs (both SPA and user must be in the default group to gain access)

  • CalNet Test Accounts and rSPAs with AFFILIATE-TYPE-TEST

  • Active Employees, UCPath Affiliates, and Students

  • Employees, UCPath Affiliates, and Students in Grace Period

Note: Guests and Alumni are not allowed.

Custom Authorization

Authorization can be provided several different ways, and typically, all of these ways can be combined together in the service registration to achieve the desired result.

  • CalGroups Official Groups
  • CalGroups Ad Hoc Allow/Deny Groups

Application Specific Authorization

Application owners can opt out of Default authorization; then authorization will be performed at only the application level.

The application owner may decide to mix SSO service authorization and application specific authorization as well. 

Examples

Default Authorization

All users in the default group will be allowed to log in to your application.

Custom Authorization

Only employees and UC Path affiliates will be allowed to log in to your application -- ie no students, SPAs, or alumni allowed.

Application Specific Authorization

All campus entities, including guests and alumni, can log in to your application; your application decides what users are allowed to access within the application.

Combination

Only users in default group will be allowed to log in; your application decides what users are allowed to access within the application.