[Hydra] Rejecting the login request based on whether the user has access to that client-id or not?

[alash3al]

Let's assume that we have a company of 1k employees, grouped into 50 groups, each group has different jobs/roles, each group will be restricted to specific types of 3rd-party services, and we want each group to be able to login into their related service(s) via ory SSO (hydra), but the problem is, we don't want `for example Group (A) to login to a service that Group (B) is using.

A more simplified example:

• you have 2 departments in your company (one for software engineering and the other for marketing).
• you don't want your marketing employee to log in to sentry (you want to restrict the authentication flow itself per application).

Does that mean that we want to implement two different identity providers each with its sso server, or can we can do that in ory in a different way?

[kmherrmann]

Hi there! A good approach would be to protect application access with e.g. Ory Permissions (based on Keto). Then you can separate the authorization from user authentication, gaining a lot of flexibility to set up permission schemes for various applications and functions and resources within them.
There are a few approaches to avoid having multiple IdPs, SSO servers and configurations - You can model your different user groups e.g. with different identity schemas, attach metadata identifying their group membership(s) or create fine-grained permission relations on a user level.
To actually enforce permissions, you can use Ory Oathkeeper as an Identity Aware Proxy in front of your services, which performs the authentication and authorization checks as needed. Oathkeeper can also be deployed alongside existing API Gateways and rewerse proxies like Ambassador, Envoy or nginx.
Hope this helps!