Google SSO security considerations

Turning on Google SSO in the IAM system allows any Google user to log into the IAM. If a default home publication has been set in user-manager.yaml, then Google users are also allowed to log into the CUE Editor, but they are not allowed to read or write any content, since they have no roles or permissions in the CUE Content Store. 

  newsroom:
    # default publication
    homePublication: news

If the default home publication has not been set in user-manager.yaml and no groups have been assigned to the SSO user in the IAM, SSO users will not be able to log in to the CUE Editor. An error stating The user does not exist on the backend is displayed in the CUE Editor and the following message is written to the log: 

Caused by: neo.xredsys.api.IllegalOperationException: No home publication set for user john@example.com', can't auto create it

Limiting unwanted users in database

Creating groups for SSO users

Revoking access

Two factor authentication

Copyright © 2019-2022 Stibo DX A/S