Having configured the available SAML-integrated services, it is then possible to control exactly which of these services are available to which users, i.e. to control what services users have access to when they first log in:
This is done in the M-Pin SSO Settings > LDAP Settings section of the console:
Before making this configuration, you should make sure you have set up a group in your LDAP directory which contains the users you wish to have access to a particular service / group of services.
This example will be a very simple case which makes use of one LDAP group (AWSDev1) being given access to one service (AWS dev account 1).
After selecting 'Add new LDAP setting' enter the details of the LDAP server and group. Here it makes sense to give the group a similar name to the service:
The Useridattribute field is the LDAP field you wish to use for validating the email address of the user logging in - hence "mail" is used above.
Once the LDAP group setting is created, you can then add it to any Service Profile of your choice. In this case we will add it to the AWS dev account 1 profile. This is done by going to Integration > AWS profiles, then selecting AWS dev account 1:
Within the AWS profile itself, it is then possible to add the LDAP profile to the Chosen LDAP profiles list:
To test your LDAP settings, you can then login as a user who is included in the e.g. AWSDev1 LDAP group to make sure they see the service appear in their list:
Likewise logging in as a user who is not in the group should confirm that the service does not appear in their list.