Question
When using Microsoft 365 or Google Workspace (hereafter referred to as groupware) with Access Control as the authentication destination, and setting the groupware as the IdP to enable SSO integration with other external services (SP), what is the authentication flow?
Answer
If Access Control is set as the authentication destination for the groupware, authentication via Access Control will ultimately be required when signing in to other services as well.
The specific login flow is as follows:
- Access the external service (SP) and attempt to log in using your groupware account.
- You are redirected from the SP to the groupware for authentication.
- You are further redirected from the groupware to Access Control.
- Authenticate on the Access Control screen.
- After successful authentication, you are logged in to the SP via the groupware.
Notes
- In this configuration, the final authentication decision is based on the Access Policy Groups in Access Control.
- Even if login is permitted on the groupware side, access from IP addresses or devices not allowed by the Access Control policy will be restricted at step 4 above, and login to the external service (SP) will not be possible.
Therefore, when using external services, please make sure in advance that appropriate access permissions are configured in Access Control.