SSO Login - Tagging?

[jthompson333]

This is probably another noobie question...

Can Tags in the SSO system be used for creating custom security roles in an application for a user?

For example, if a user was in the Accounting Department, could I create an SSO tag called, sso_accounting, and make the application refer back to that to give that user access to only what the accounting department should see?

[thruska]

Absolutely. So to set up what you describe, I would create a new tag called 'role_accounting'. Then I'd go into the API key for the application and map the tag to itself (same name) or something shorter like 'accounting'. Either one will allow the tag to flow through to the SSO client. Then, in the application, refer to the tag using the SSO_HasTag() function.

Client tag names should be kept short because they are stored in the encrypted cookie in the user's web browser. But they should still make sense to someone glancing at the source code.

The 'sso_' prefix should not really be used for tags even though I don't foresee needing to add more permissions than what are already there.

I have a question for you: What provider are you using for the accounts that will have this tag? If it is the LDAP (Active Directory) provider, I've got a couple of related ideas I'd like to run by you to see what you think.