CF Tunnel Application Access Policy: limit to email in access group

I’ve created an access group that consists of an “include” of several email addresses that I want to be able to access my applications. I’ve created a policy in the application with action “Allow” and assigned the group with “Include” rules. I’ve set my authentication login method to “One Time PIN”

When I click “Test Policies” if I enter one of my emails in the access group, I get “Access Granted” and if I enter an email not in the list, I get “Access Denied”

However, when I browse to ., at the login screen there. any email address I enter gets sent a one time PIN.

How do I limit access to my application, via one time PIN, to a specific set of email addresses?

The way that access works is that it will always send a code, and validates when a user attempts to use the code. I’m not aware of any way to limit outbound emails.

Unfortunately, the email it sends the OTP to, is actually able to log in and then access my services.

Is this email part of any policy that grants access to the application?

I think I figured it out. I created a second policy within the same application, with a “block” action and including “everyone”. That does seem to prevent the emails from going out to users not included in the access group. Sort of like firewall rules.

So, in summary, an allow rule that includes all expected users, then a block rule for “everyone” gives the expected behavior of allowing just the specified users in the access group. Without the block rule, any user who puts in their email address gets sent a working one-time password.

Not sure if this applies to other authentication methods.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.