A question that often comes up is about restrictive mode - what is it for and do I need it on or off?

What is restrictive mode?

Restrictive mode was developed as a means of dealing with the occasional federated resource that, due to loopholes in some federations' rules, decided that the onus was on the Identity Provider (IdP) to only respond for users that should have access - what the SP was meant to do was make that decision themselves based on the attributes they were passed.

That's what it was built for but it has other applications:

Do I need it on or off?

New customers

If you are a brand new customer then you should leave it off (the default) until you have got access to your subscriptions sorted out - this is to make it as easy as possible to get access to the resource set up without added restrictions. Once access to your resources is arranged you can set it on or leave it off as suits your preference.

The statistics angle

This is often the main consideration.

Off: you will be able to see which resources your users are trying to access alongside those that you subscribe to.

Advantages: 

Disadvantages:

On: you will not see statistics for resources that have not been allocated to permission sets

Advantages:

Disadvantages:

The insurance angle

Off: you depend on publishers not letting your users in if you don't have a subscription

Advantages:

Disadvantages:

On: you can make sure it that it can't happen

Advantages:

Disadvantages:

The error message angle

Off: Users will get a no access message from the resource

Advantages:

Disadvantages:

On: Users will get a no access message from us

Advantages:

Disadvantages:

How to turn it on or off

Restrictive mode is a per-organisation setting so is set on the organisation preferences page (Preferences > Organisation).

The setting is at the bottom of the page. Once you save the page the change will take a few minutes to propagate to our authentication points. You will need to repeat this for each sub-organisation that you have.

The advantage of this being a per-organisation setting is that you do not need to have restrictive mode turned on (or off) for all the users across your domain - a mix is possible if that would suit you better.