When configuring an enterprise application to control the single sign-on SAML integration with ThoughtFarmer, there is a setting on the main properties called Assignment required. It is set to Yes by default as a security best practice recommended by Azure. However, having it set to Yes has certain limitations and security considerations that should be understood before enabling it. ThoughtFarmer recommends leaving the Assignment required setting set to No as shown below.
Assignment required disabled
When the Assignment required setting is disabled, anyone within the entire Azure AD with a valid active Azure account can attempt to log in to ThoughtFarmer. Once Azure authentication completes, users will only be logged in to the intranet if they have an active ThoughtFarmer profile page. This is controlled by the Employee Directory Connector (EDC) synchronization, which is configured to pull from a specific Azure AD security group. Everyone in that group should already have an active ThoughtFarmer profile and be able to access it. Anyone company-wide who is NOT in that group will see an "Access Denied" message instead. The only exception is if you have Guest mode enabled. In that case, those users will be logged in as a guest user instead.
Assignment required enabled
When the Assignment required setting is enabled, users and groups must be added explicitly to the enterprise application for them to be able to use the authentication. If a user who is not explicitly added attempts to login, they may authenticate successfully with their active Azure account. However, they will not be redirected back to ThoughtFarmer to complete the sign-in process. They will instead see the following error:
To give them access you must go to the enterprise application configuration you set up for ThoughtFarmer and go to the Users and Groups page.
The main issue here is that there is a limitation with Nested groups for this feature on the Azure side. They DO NOT support nested groups. So while you may be using an Azure AD group with nested groups to control what ThoughtFarmer users are created automatically via the Employee Directory Connector (EDC) sync, that same group will not work here. Only those users at the top level will be able to authenticate.
When to use Assignment Required
The only valid use case for enabling Assignment required is if you have Guest mode enabled but still want to limit who has guest access within your Azure AD. To do this you can create 2 separate groups in Azure AD (no nested groups due to the limitations mentioned in the previous section). One group is "All intranet users" and contains the flattened list of all intranet users, that matches whatever you have configured for the EDC sync. The other is the "Guest" user group. Add both those groups to the assignment for the enterprise application. With that configured you will have the following authentication flows:
- All intranet users: These users will authenticate and access ThoughtFarmer as actual users with a profile.
- Guest: These users will authenticate and access ThoughtFarmer as guest users.
- All users outside these groups: These users will not be able to access ThoughtFarmer and will be shown an Azure error message saying that they have not been added to the application.