Skip to content

Authentication Settings

Authentication Settings lets administrators configure how users sign in to the Platform. You can enable Single Sign-On (SSO) to authenticate users through your organization's identity provider, and Multi-Factor Authentication (MFA) to add a second layer of verification for email/password sign-ins.

Note

Only account owners and admins can configure Authentication Settings.

How SSO and MFA Work Together

The Platform supports two authentication paths, and MFA scope adjusts automatically based on which path is active:

Authentication State Who Signs In Via Email/Password MFA Managed By
SSO Disabled All users Platform (applies organization-wide)
SSO Enabled SSO-excluded users only Platform (applies to excluded users only); the Identity Provider (IdP) manages all other users' MFA

Access Authentication Settings

  1. Log in to your account and click Settings on the top navigation bar.
  2. In the left menu, go to Security & Control > Authentication Settings.

The page is divided into two sections:

  • Single Sign-On (SSO) Configuration
  • Multi-Factor Authentication (MFA).

Single Sign-On (SSO)

SSO allows users to access their Platform accounts using credentials managed by an external IdP. Once authenticated with the IdP, users can access the Platform without a separate login.

Key benefits:

  • Secure Access — Reduces password fatigue and the risk of phishing or weak passwords.
  • Simplified User Management — Centrally grant or revoke access across all users.
  • Improved User Experience — Eliminates repeated logins within the same session.
  • Centralized Access Control — Enforce and monitor security policies across all applications from one place.

Supported SSO Protocols and Providers

Protocol Providers
SAML 2.0 Okta, OneLogin, Other Provider
WS-Federation Windows Azure, Other Provider
OpenID Connect Google

How SSO Works

  1. A user attempts to access their Platform account.
  2. The Service Provider (SP) redirects the user to the IdP login page.
  3. The user provides their credentials to the IdP.
  4. On successful authentication, the IdP issues an authentication token.
  5. The SP uses the token to grant the user access.
  6. The user can access all permitted accounts for the remainder of the session without needing to log in again.

SSO Status

The SSO Status toggle at the top of the SSO Configuration section controls whether SSO is active for your organization.

Toggle State Behavior
SSO Disabled (default) All users authenticate via email and password. The SSO Protocol, Identity Provider, and SSO-Excluded Users sections are hidden.
SSO Enabled Users authenticate through the configured identity provider. The SSO Protocol, Identity Provider, and SSO-Excluded Users sections appear.

Enable SSO

  1. Go to Security & Control > Authentication Settings.
  2. Under SSO Status, toggle SSO Enabled.
  3. Under SSO Protocol, select one of the following: SAML 2.0, WS-Federation, or OpenID Connect
  4. Under Identity Provider, select your provider: Okta, OneLogin, or Other Provider.
  5. Configure the parameters for your selected protocol and provider.
  6. Add at least one SSO-excluded user (see SSO-Excluded Users).
  7. Select Save.

Disable SSO

Disabling SSO collapses the SSO Protocol, Identity Provider, and SSO-Excluded Users sections, and reverts all users to email/password authentication. The MFA section updates automatically to reflect organization-wide scope.

Steps:

  1. Go to Security & Control > Authentication Settings.
  2. Under SSO Status, toggle off SSO Enabled (it will show SSO Disabled).
  3. In the confirmation dialog, select Yes to confirm.

Note: Previously configured SSO parameters are retained and visible if you re-enable SSO.

SSO-Excluded Users

When SSO is enabled, all users must sign in through the configured IdP by default. Use this section to designate specific users who can bypass SSO and sign in via email/password instead — useful when the SSO provider is unavailable, misconfigured, or the certificate has expired.

Note: The account owner is excluded by default. It is strongly recommended to exclude at least one additional admin user as a fallback.

Add an Excluded User

  1. Enter a valid email address in the Add User Email field.
  2. Click Add User. The user appears as a chip in the Excluded Users list.
  3. Click Save.

Sign-In Flow for Excluded Users

Excluded users can sign in via email/password even when SSO is enabled. If MFA is configured, they are prompted to complete verification before access is granted.

Configuration Parameters

The following parameters should be configured on the Platform based on the protocol and IDP you select:

Protocol Provider Parameters
SAML Okta
  • Okta single sign-on url: The SSO endpoint URL for Okta to enable Service Provider initiated SAML flow.
  • Identity provider issuer: The entity (URL) that provides the user identities, including the ability to authenticate a user.
  • Certificate: The public certificate stored by the service provider from the IDP is used to validate a user signature. You can add multiple (a maximum of 2) certificates and delete already added invalid certificates.
SAML Onelogin
  • SAML 2.0 endpoint: The SSO endpoint URL for Onelogin to enable Service Provider-initiated SAML flow.
  • Issuer url: The same as the Identity provider issuer for Okta.
  • X.509 certificate: The same as the Certificate for Okta.
SAML Other
  • Single sign-on url: The SSO endpoint URL for the IDP to enable Service Provider initiated SAML flow.
  • Issuer url: The same as the Identity provider issuer for Okta.
  • Certificate: The same as the Certificate for Okta.
WS-Federation Windows Azure
  • Azure AD sign-on end point url: The URL that the Platform sends sign-on and sign-off requests using Azure. The response for the authentication is sent to the Reply URL defined in your Azure Active Directory configuration settings.
  • Azure AD federation metadata document: The URL for the federation metadata document used for authentication with Azure Active Directory.
WS-Federation Other
  • AD sign-on end point url: The same as Azure AD sign-on end point url for Windows Azure.
  • AD federation metadata document url: The same as Azure AD federation metadata document for Windows Azure.
OpenID Connect Google No additional configuration is required. Your users will be authenticated based on their valid Google credentials.

Note: Multiple certificates: When multiple certificates are added, the system uses the most recently added one. If that certificate is invalid, it automatically falls back to the next available certificate.

Multi-Factor Authentication (MFA)

MFA adds a second layer of verification during sign-in for users who authenticate via email/password. The Platform supports the following MFA methods: Email Verification, Authenticator App (TOTP), and SMS.

Enable MFA

  1. Go to Security & Control > Authentication Settings.
  2. Under MFA Status, toggle MFA Required.
  3. Under Allowed MFA Methods, select the methods to enable — Email Verification, Authenticator App, or SMS.
  4. Click Save.

Disable MFA

  1. Under MFA Status, toggle off MFA Required (it will show MFA Disabled).
  2. Click Save.

MFA for Users (First Login)

When MFA is enabled and a user signs in for the first time:

  1. The user enters their email address and password.
  2. The Platform prompts the user to set up an MFA method.
  3. On subsequent logins, the user is prompted to enter their MFA verification code.
  4. On successful verification, access is granted.

SSO Protocol Reference

SAML 2.0

Security Assertion Markup Language (SAML) is a protocol for web-based SSO that uses secure tokens instead of passwords. It allows IDPs and SPs to operate separately. When a user logs into a SAML-enabled app, the service provider requests authorization from the IDP, which authenticates the user and grants access to the application.

How SAML works

SAML SSO works by transferring the user’s identity from one place (the IDP) to another (the SP) through an exchange of digitally signed XML documents.

When a user logs into a system that acts as an IDP and tries to access his Platform account, the following happens:

  1. The user accesses the remote app on the IDP portal using the sign-on endpoint URL, and the application loads.
  2. The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the IDP, asking for authentication. This is the authentication request.
  3. The user either has an existing active browser session with the IDP or establishes one by logging into the IDP.
  4. The IDP builds the authentication response in an XML document containing the user’s username or email address, signs it using an X.509 certificate, and posts this information to the SP.
  5. The SP, which already knows the IDP and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
  6. The user's identity is established, and the user is provided with the Platform account access.

Okta Configuration

Okta's Single Sign-On (SSO) offers a seamless user experience by enabling one login for multiple applications across different platforms. It enhances security through multi-factor authentication (MFA), zero-trust architecture, and password-less options.

Okta's scalable and customizable platform reduces IT overhead, improves productivity, and supports compliance with governance standards like GDPR and HIPAA.

To configure SSO using SAML and Okta, follow the steps below:

  1. Go to the Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select SAML for Sign-on protocol and Okta for SSO provider.

Note

If you already have the required parameters for Okta, move directly to Step 18.

  1. Login to the Okta developer portal.
  2. On the dashboard, click Applications on the left menu.
  3. Click Create App Integration.
    4. okta create app integration
  1. In the Create a new app integration window, select SAML 2.0 and click Next. create a new app integration
  2. On the Create SAML Integration page, provide the App Name under General Settings, and click Next. create saml integration
  3. Copy the following values from the Platform’s SSO setup page and paste them into Okta under Configure SAML:
    • ACS url for SP initiated SAML flow: Paste into Single sign-on URL.
    • ACS url for IDP initiated SAML flow: Paste into Audience URI (SP Entity ID).
Okta Parameter Description
Single sign-on URL The location where the SAML assertion is sent with an HTTP POST. This is often called the SAML Assertion Consumer Service (ACS) URL for your application.
Audience URI (SP Entity ID) The application-defined unique identifier that is the intended audience of the SAML assertion. This is most often the SP Entity ID of your application.
  1. Click Next.
  2. Click Finish under Feedback on Okta’s Create SAML Integration page.
  3. Once the app is created, go to the Sign On tab and click View Setup Instructions.
  4. On the How to Configure SAML 2.0 for Application page, do the following from Okta into the Platform:
    • Copy the Identity Provider Single Sign-On URL value and paste it into the Okta Single Sign-On URL.
    • Copy the Identity Provider Issuer value into the Identity provider issuer.
  5. Go to Sign On > SAML Signing Certificates on your Okta app.
  6. Click Download certificate under Actions for the required certificate. download certificate
  7. Once the certificate is downloaded, open it in Notepad and copy the data between the BEGIN CERTIFICATE header and END CERTIFICATE footer. okta certificate
  8. Paste the value into the Certificate field on the Platform’s SSO setup page.
    9. To add a new certificate, click + Add new.

Note

When multiple certificates are provided, the system uses the latest one. If the latest certificate is invalid, it automatically switches to other available certificates.

  1. Click Save. Once SSO for Okta is complete, the system will redirect to the Okta Sign in page for the Platform account authentication.

Onelogin Configuration

OneLogin's Single Sign-On (SSO) solution simplifies user access by enabling a single login for multiple applications across platforms, improving workflow efficiency. It enhances security with advanced multi-factor authentication (MFA), password-less options, and machine learning-based risk assessments that are compliant with security standards like GDPR and HIPAA.

To configure SSO using SAML and Onelogin, follow the steps below:

  1. Go to Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select SAML for Sign-on protocol and Onelogin for SSO provider.
  4. Login into the Onelogin developer portal.
  5. Go to Applications > Add Apps to access your app. onelogin add app
  • To learn how to add a new app, click here.
  • To learn how to configure apps, click here.
  1. Search for your Platform app and click Enter.
  2. Click your app to view the Add App page. Optionally, change the display name or the icons displayed to your users in the OneLogin portal, and then click SAVE. The Platform app has been added to your company apps for OneLogin and is listed on the app page.
  3. Copy the following values from SSO > Enable SAML2.0 on Onelogin and paste them into the relevant fields on the Platform’s SSO setup page:
    • OneLogin SAML 2.0 Endpoint (HTTP): Paste into SAML 2.0 endpoint.
    • OneLogin Issuer URL: Paste into Issuer URL.
  4. In the OneLogin X.509 Certificate field, click View Details. The Standard Strength Certificate (2048-bit) page is displayed. one login view details
  5. In the X.509 Certificate section, copy the certificate data and then paste it into the X.509 Certificate field on the Platform’s SSO setup page.

    6. Note

    Copy data after the BEGIN CERTIFICATE header and before the END CERTIFICATE footer.

    To add a new certificate, click +Add new. add new x 509 certificate

Note

When multiple certificates are provided, the system uses the latest one. If the latest certificate is invalid, it automatically switches to other available certificates.

  1. Copy the following field values from the Platform’s SSO setup page into the relevant fields in Onelogin:
    • ACS URL for SP Initiated SAML Flow.
    • ACS URL for IDP Initiated SAML Flow.
  2. Click Save on the Platform and Onelogin.

Once SSO for Onelogin is complete, the system redirects to the Onelogin Sign in page for the the Platform account authentication.

Other Configuration

To configure and enable SSO using SAML for other IDPs of your choice, follow the steps below:

  1. Go to the Platform’s Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select SAML for Sign-on protocol and Other for SSO provider.
  4. Fetch the necessary SSO configuration parameters listed in this table from your app's Settings page within the IDP developer portal.
  5. Paste them into the relevant fields on the Platform’s SSO setup page.

To add a new certificate, click +Add new.

Note

When multiple certificates are provided, the system uses the latest one. If the latest certificate is invalid, it automatically switches to other available certificates.

  1. Copy and paste ACS url for SP initiated SAML flow and ACS url for IDP initiated SAML flow values from the Platform into the relevant app fields within the IDP’s developer portal.
  2. Click Save.

WS-Federation

WS-Federation (Web Services Federation) is a protocol used for federated identity management. It allows the secure sharing of identity information across different security domains or systems. It enables Single Sign-On (SSO) by allowing users to authenticate with a trusted IDP and access services across different organizations or platforms without logging in multiple times.

How WS-Federation Works

When a user logs into a system that acts as an IDP and tries to access his Platform account, the following happens:

  1. The relying party redirects the user to the IDP for authentication.
  2. The IDP authenticates the user through credentials or another authentication mechanism.
  3. Security Token Issued: Once authenticated, the IDP issues a security token containing the user’s identity and claims.
  4. Token Sent to Relying Party: The token is sent back to the relying party, which validates it.
  5. Access Granted: The user is granted access to the requested service based on the verified token.

Windows Azure Configuration

Azure AD Federation with WS-Federation offers seamless SSO integration with Microsoft services, advanced security features like MFA and conditional access, and centralized user management. It supports flexible authentication protocols, scales with organizational growth, and ensures high availability for an enhanced user experience.

To configure SSO using WS-Federation and Windows Azure, follow the steps below:

  1. Go to the Platform’s Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select WS-Federation for Sign-on protocol and Windows Azure to Configure SSO for WS-Federation.
  4. Open Server Manager on the computer running AD FS, then choose AD FS > Tools > AD FS Management.
  5. Copy IdP URL from your IdP metadata (FederationMetadata.xml). You can find your ADFS Federation Metadata file URL on the AD FS server through ADFS Management in ADFS > Service > Endpoints > Metadata. It should look like this:

copy idp url

  1. Paste this value into the Azure AD sign-on end point url field on the Platform’s SSO setup page.
  2. Copy and paste this URL link into the Azure AD federation metadata document field on the Platform’s SSO setup page.
  3. Click Save.

Other Configuration

To configure and enable SSO using WS-Federation and other IDPs of your choice, follow the steps below:

  1. Go to the Platform’s Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select WS-Federation for Sign-on protocol and Other to Configure SSO for WS-Federation.
  4. Copy and paste the SSO endpoint URL from the IDP’s portal into AD sign-on end point url on the Platform’s SSO setup page.
  5. Then, copy and paste the URL for the WS-Federation metadata document from the IDP’s portal into the AD federation metadata document url on the Platform’s SSO setup page.
  6. Click Save.

OpenID Connect Configuration

OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 framework that enables Single Sign-On (SSO) by providing a standardized way for applications to authenticate users and obtain user identity information. The Platform currently supports Sign in with Google for this protocol.

How OpenID Connect Works

When a user logs into a system that acts as an IDP and tries to access his Platform account, the following happens:

  1. The application redirects the user to the IDP for authentication.
  2. The user logs in at the IDP portal.
  3. IDP redirects the user back with an authorization code.
  4. The application exchanges the code for ID and access tokens.
  5. The application validates tokens and grants access.
  6. Users can access other integrated applications without re-authenticating.

Google Configuration

To configure SSO using OpenId Connect and Google, follow the steps below:

  1. Go to the Platform’s Single sign-on page.
  2. Select the Enable SSO tab.
  3. Select OpenId Connect for Sign-on protocol and Sign in with Google to Configure SSO for OpenId connect.
  4. Click Save.

Note

No further configuration is needed. Users will be authenticated using their Google account’s username and password.

Related resource