All applications are subject to the default authorization policy, see below. You can also opt to create a custom, coarse grained authorization policy. You can opt-out of default authorization if your application provides its own authorization logic. Find out more about the SSO registration process. See the bottom of this page for examples.
The intent of SSO authorization is to ensure that all campus services are providing some level of authorization, and configures a CalNet default authorization if they are not.
The default authorization policy applies to all new SSO Service Registrations.
The current makeup of the Default Authorization group is:
All SPA UIDs (both SPA and user must be in the default group to gain access)
CalNet Test Accounts and rSPAs with AFFILIATE-TYPE-TEST
Active Employees, UCPath Affiliates, and Students
Employees, UCPath Affiliates, and Students in Grace Period
Note: Guests and Alumni are not allowed.
Authorization can be provided several different ways, and typically, all of these ways can be combined together in the service registration to achieve the desired result.
- CalGroups Official Groups
- CalGroups Ad Hoc Allow/Deny Groups
Application owners can opt out of Default authorization; then authorization will be performed at only the application level.
The application owner may decide to mix SSO service authorization and application specific authorization as well.
All users in the default group will be allowed to log in to your application.
Only employees and UC Path affiliates will be allowed to log in to your application -- ie no students, SPAs, or alumni allowed.
Application Specific Authorization
All campus entities, including guests and alumni, can log in to your application; your application decides what users are allowed to access within the application.
Only users in default group will be allowed to log in; your application decides what users are allowed to access within the application.