LDAP Access to Services

Having configured the available SAML-integrated services, it is then possible to control exactly which of these services are available to which users, i.e. to control what services users have access to when they first log in:

Service List

This is done in the M-Pin SSO Settings > LDAP Settings section of the console:

ldap settings

Before making this configuration, you should make sure you have set up a group in your LDAP directory which contains the users you wish to have access to a particular service / group of services.

This example will be a very simple case which makes use of one LDAP group (AWSDev1) being given access to one service (AWS dev account 1).

After selecting 'Add new LDAP setting' enter the details of the LDAP server and group. Here it makes sense to give the group a similar name to the service:

Settings Page

The Useridattribute field is the LDAP field you wish to use for validating the email address of the user logging in - hence "mail" is used above.

Once the LDAP group setting is created, you can then add it to any Service Profile of your choice. In this case we will add it to the AWS dev account 1 profile. This is done by going to Integration > AWS profiles, then selecting AWS dev account 1:

Select Profile

Within the AWS profile itself, it is then possible to add the LDAP profile to the Chosen LDAP profiles list:

Add LDAP profile

To test your LDAP settings, you can then login as a user who is included in the e.g. AWSDev1 LDAP group to make sure they see the service appear in their list:

Services List

Likewise logging in as a user who is not in the group should confirm that the service does not appear in their list.