The way that SSO works in NAV is that every new user who signs in is given an account. By default new accounts are added to a group with standard access to NAV. This is based on an assumption that there is some account filtering layer between the SSO handler and NAV. In our setup this is not the case, so our solution for this is to remove all privileges from the default group for new accounts, and create a new group with standard access which we can add accounts to manually.
The steps for doing this using the web UI are:
- Go to Tools > User and API Administration
- Select the Group List tab and click on the Authenticated users group
- Under Group privileges click Revoke so that this group has no privileges.
- Under Group info rename the group to SSO logins. Set the group description to e.g. "Automatically created SSO accounts (NO PRIVILEGES)".
- Go back to the group list and create a new group.
- Name the group Manually authenticated users with the description "SSO users can be placed in this group to get standard privileges".
- Add the same permissions as we revoked from the SSO logins group, i.e. under Grant privileges select web_access from the dropdown and use the expression below as Target.