Question

After customer setup of Single Sign-On (SSO), any user from a customer organization with valid login details can log in to Reltio. On successful login, Reltio will create a new user profile and grant default roles.

This assignment of default roles might cause a security issue because not all users in a customer organization are intended users of the Reltio system. This might pose a security risk as well as a Reltio licensing issue.

Answer

After setting up SSO, Reltio gets a login token (SAML assertion) from the IdP (identity provider) server and checks whether a user has login details (an email ID) in Reltio already. If that is not present, Reltio creates the user profile and grants default roles (mostly ROLE_USER and ROLE_API). 

In order to restrict access, the customer administrator can take either of the following approaches:

1. Setting metadata security. As described in help documentation https://help.reltio.com/index.html#security/metadatasecurity.html you can create role-based permission on entity and relation types.

2. Creating a group or role in your SSO IDP and including the intended users in that group. The IdP after authentication should check whether the logged-in user is part of that group, and redirect to the Reltio tenant link only if the user passes that check. This is similar to the control of authorization in the IdP server.