Below are some frequently asked questions related to Single Sign-on (SSO) and Multi-Factor Authentication (MFA). Note that Multi-Factor Authentication and Two-Factor Authentication are sometimes used interchangeably. For instructions on setting up SSO or MFA, see the related topics linked below.
IPRO supports any 3rd party identity provider that uses OpenID Connect.
Yes, single sign-on can be enabled in the user page. There is also an option to “migrate” all users to log in through single sign-on; you can then go back to specific users and disable their use of an external identity provider.
Microsoft, Google, Apple, Okta, Ping
Assuming the Identity Provider supports OpenID Connect then there should not be any issue.
If you have access to your identity provider’s admin console, then it should only take a few minutes to copy over the necessary info for establishing Single Sign-on.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. https://openid.net/connect/
OAuth 2.0, is a framework, specified by the IETF in RFCs 6749 and 6750 (published in 2012) designed to support the development of authentication and authorization protocols. It provides a variety of standardized message flows based on JSON and HTTP; OpenID Connect uses these to provide Identity services. https://openid.net/connect/faq/
No, SAML is not supported
If you decide to enable single sign-on through a third-party identity provider, multi-factor authentication will be managed by the identity provider, if configured to do so. There is no “provider” for multi-factor authentication, so once it has been enabled, your users are free to use any authenticator app to generate a unique token.
No, both are independent. In fact, single sign-on users will not have multi-factor authentication enforced upon them if it’s enabled. For these users, if multi-factor authentication is desired it needs to be enforced by the third-party identity provider itself.
There can only be one identity provider configured per system. So, in this example, you might have the ability to log in via SSO, but the contractor from the service provider would need to be set up with a username and password.
Yes. Admins have the ability to disable all local logins from IPRO's login page once SSO is enabled. This can be configured through a setting in the appsettings.json file called “AllowLocalLogin,” which is set to a default value of “True.” When set to “True,” the IPRO login page can be accessed by an SSO user when they include the following parameter at the end of the URL:
When the “AllowLocalLogin” setting is changed to “False,” the local login page becomes completely inaccessible, ignoring that parameter. This prevents anyone from accessing IPRO's local login page.
Note: To automatically redirect users to the login screen of the external identity provider, ensure the Default Identity Provider option is set when you configure the identity provider in Enterprise.
You can use any mobile or desktop authentication app that provides a time-based, one-time passcode (also called TOTP, or “soft token”).
No, if you enable Multi-Factor Authentication, then it will be enabled for everyone.
Google Authenticator, Microsoft Authenticator, FreeOTP, Authy, Protectimus Smart OTP
So long as the application is using a time-based, one-time passcode it should work. However, some applications may perform better than others, and some may not work at all. If your users experience issues setting up or using their authentication app, you can reset their MFA sync and have them try again. If you still experience issues, have the user try a different authentication app.
Enabling multi-factor authentication system-wide can be done with the click of a single button. Once enabled, each user will need to synchronize their account with an authentication app the next time they log in. This synchronization process should only take a minute.
Yes, multi-factor authentication can be disabled at any time.
No, both are independent. In fact, multi-factor authentication will not be enforced upon users who log in using single sign-on through a third-party identity provider. For these users, if multi-factor authentication is desired it needs to be enforced by the third-party identity provider itself.