UniFi Identity Enterprise - SSO App Policy and Rule

Introduction

App sign-on policies can allow or restrict user access to SSO applications based on the following conditions:

  • User's IP address
  • Device platform
  • Client
  • Behavior
  • Risk level
  • Identity provider

By default, all users can access the apps assigned to them without re-entering their passwords or receiving MFA prompts. To configure granular access to apps, you can add one or multiple policies and rules and prioritize them. A policy and rule with a higher priority take precedence over those with a lower priority.

Create an SSO App Policy

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Go to Security > Identity Firewall > Policy > SSO Apps and click + SSO App Sign-On Policy.
  3. Enter the following information:
    • Policy Name: Enter a name for the policy.
    • Description: Enter a description for the policy.
    • Validity Period: Specify the validity period of the policy.
      • Always: The policy is always effective unless you disable it.
      • Specified time range: The policy is only effective within the specified time range. Tick theBased on users' time zones“ checkbox to ensure the time range reflects users' time zones.
      • Recurring schedule: The policy is effective based on the recurring schedule.
    • Applied Applications: Click Add Application to Policy, select applications that this policy will apply to, and click Add.
  4. Click Save.
  5. Verify your account with an MFA method.
  6. You can continue to create an SSO app policy rule or create it later.

Create an SSO App Policy Rule

  1. Do either of the following:

    • Create a new policy and rule: You'll be prompted to create a rule after a policy is created.
    • Create a rule in an existing policy: Go to Security > Identity Firewall > Policy > SSO Apps, click an existing policy, go to Rules and click Create.
  2. Enter the Rule Name and tickEnable this rule“ to enable it.

  3. Go to Exclude Users (Optional) and click the “+“ icon to select the users you want to exclude from this rule. No user is selected by default.

  4. Go to Who does this rule apply to and select the following options as needed.

    • Users assigned this app: Assign the rules to all the users who have been assigned the selected apps.
    • Select group, role, or user: Assign the rule to specific groups, roles, or users who have been assigned the selected apps.
  5. Go to Conditions and set the following:

    • If the user's IP is: Specify the network zone to which this rule applies.
      • Anywhere: The action is triggered no matter what the user's IP is. This is selected by default.
      • Inside Zone: The action takes effect when the user's IP is within the set network zone range.
      • Outside Zone: The action takes effect when the user's IP is outside of the network zone range.
    • And if their device platform is: Specify the device this rule applies to.
      • Default is set to “Any Device”.
      • Device types:
        • Mobile: iOS, Android, and other mobile devices (e.g., BlackBerry).
        • Desktop: macOS, Windows, and other desktops (e.g., Linux).
    • And if their client is: Specify the client this rule applies to.
      • Default is set to "Any client'.
      • Client types:
        • Identity Enterprise desktop app: macOS and Windows
        • Identity Enterprise mobile app: iOS and Android
        • Identity Enterprise Manager
        • Identity Enterprise Workspace
        • Identity Enterprise app on UniFi Talk
    • And if their behavior is: Specify the behavior this rule applies to. Note: This condition is not available in the Identity Enterprise Basic Plan.
      • Select the default behavior rule or the one you have created.
      • If multiple behaviors are selected, this rule will be triggered if one of the conditions is satisfied.
      • The behaviors mentioned will be assessed along with other defined rules. If the stated conditions are satisfied, the action stated in the "Then user's access is" section (Allowed or Denied) will either permit the user to sign in or prompt them to undergo MFA.
      • If an IP address or network zone has been included and a behavior that specifies an IP address is also included, all the criteria must be met for the rule to be enforced.
    • And if their risk level is: Define the risk level for triggering the action. Risk scoring is calculated using past activities. Note: This condition is not available in the Identity Enterprise Basic Plan.
    • And if their Identity Provider is: Specify the identity provider for triggering the actions. Note: This condition is not available in the Identity Enterprise Basic Plan.
      • “Any” is selected by default.
      • UniFi Identity Enterprise Account
      • Google
  6. Go to Actions and set whether to allow user access:

    • Allowed: Allow users to access the selected applications.
    • Blocked: Do not allow users to access the selected applications.
    • MFA: Specify whether MFA is required for application sign-ins. If a policy specifies a particular MFA method, you cannot remove that MFA method until it is removed from all policies that require it.
      • Not Required: Users can sign in without verifying their account.
      • Any Factor: Users must verify their account using any MFA method.
        • When to Prompt for MFA:
          • Every sign-on: MFA is required for each sign-in.
          • When signing in with a new device: When users opt for "Do not ask me again" on the sign-in page while signing in from a new device, their MFA information gets saved in the cookies of their trusted devices after a successful sign-in. This means that they won't be prompted for MFA again as long as the cookies remain valid.
            • Select "Don't prompt me again for MFA" by default: If this checkbox is ticked, theDon't prompt me again for MFA“ checkbox will be automatically selected by default on the user's identity authentication window
          • After MFA lifetime for device cookie expires: When users opt for "Do not ask me again for the next [Number] minutes/hours/days" on the sign-in page, their MFA information gets saved in the cookies of their trusted devices after a successful sign-in. This means that they won't be prompted for MFA again as long as the cookies remain valid. Once the MFA lifetime for the device cookie expires, users will be required to undergo MFA again.
            • MFA Lifetime: Set the MFA lifetime to a specific number of minutes, hours, or days.
      • Factor Sequence: Specify the factors required for user identity authentication. You can configure multiple factors to request users to complete a two-step authentication process. Once configured, users must authenticate using both the primary MFA and secondary MFA.
        • Primary MFA (Required): This option only appears whenFactor Sequence“ is selected. Click Add Secondary MFA if needed.
      • Specific Factor: Select a factor for user identity authentication. Once configured, users must authenticate using the required factor every time they attempt to sign in to the selected applications.
    • MFA Settings: Click it to go to Security > MFA and configure MFA methods.
  7. Click Add Rule.

Was this article helpful?
0 out of 0 found this helpful