FAQ: Single Sign-on and Multi-Factor Authentication
Below are some frequently asked questions related to Single Sign-on (SSO) and Multi-Factor Authentication (MFA). Note that Multi-Factor Authentication and Two-Factor Authentication are sometimes used interchangeably. For instructions on setting up SSO or MFA, see the related topics linked below.
Single Sign-on
Which 3rd party provider can I use for Single Sign-on?
IPRO supports any 3rd party identity provider that uses OpenID Connect.
Can I enable Single Sign-on for just some of my end users?
Yes, single sign-on can be enabled in the user page. There is also an option to “migrate” all users to log in through single sign-on; you can then go back to specific users and disable their use of an external identity provider.
What are some common 3rd party Single Sign-on apps?
Microsoft, Google, Apple, Okta, Ping
Are there any major/common Single Sign-on technologies we won't support?
Assuming the Identity Provider supports OpenID Connect then there should not be any issue.
How long will it take to set up Single Sign-on?
If you have access to your identity provider’s admin console, then it should only take a few minutes to copy over the necessary info for establishing Single Sign-on.
What is OpendID Connect?
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner. https://openid.net/connect/
What is OAuth 2.0?
OAuth 2.0, is a framework, specified by the IETF in RFCs 6749 and 6750 (published in 2012) designed to support the development of authentication and authorization protocols. It provides a variety of standardized message flows based on JSON and HTTP; OpenID Connect uses these to provide Identity services. https://openid.net/connect/faq/
Does Single Sign-on support SAML authentication?
No, SAML is not supported
Can I use one provider for Single Sign-on and another provider for Multi-Factor Authentication?
If you decide to enable single sign-on through a third-party identity provider, multi-factor authentication will be managed by the identity provider, if configured to do so. There is no “provider” for multi-factor authentication, so once it has been enabled, your users are free to use any authenticator app to generate a unique token.
If I enable SSO do I also need to enable MFA?
No, both are independent. In fact, single sign-on users will not have multi-factor authentication enforced upon them if it’s enabled. For these users, if multi-factor authentication is desired it needs to be enforced by the third-party identity provider itself.
What happens if I'm interfacing with multiple companies using OPEN DISCOVERY? IE, I have a case on IPRO's Services environment and am also doing contract work with another service provider using IPRO?
There can only be one identity provider configured per system. So, in this example, you might have the ability to log in via SSO, but the contractor from the service provider would need to be set up with a username and password.
To bolster security, I'd like to disable all access to IPRO's local login page once SSO is enabled. Is there a way to do this?
Yes. Admins have the ability to disable all local logins from IPRO's login page once SSO is enabled. This can be configured through a setting in the appsettings.json file called “AllowLocalLogin,” which is set to a default value of “True.” When set to “True,” the IPRO login page can be accessed by an SSO user when they include the following parameter at the end of the URL:
/account/login?disableAutomaticRedirect=true.
When the “AllowLocalLogin” setting is changed to “False,” the local login page becomes completely inaccessible, ignoring that parameter. This prevents anyone from accessing IPRO's local login page.
|
|
Note: To automatically redirect users to the login screen of the external identity provider, ensure the Default Identity Provider option is set when you configure the identity provider in OPEN DISCOVERY.
|
Multi-Factor Authentication
Which 3rd party applications can I use for multi-factor authentication?
You can use any mobile or desktop authentication app that provides a time-based, one-time passcode (also called TOTP, or “soft token”).
Can I enable Multi-Factor Authentication for just some of my end users?
No, if you enable Multi-Factor Authentication, then it will be enabled for everyone.
What are some common 3rd party Multi-Factor Authentication apps?
Duo, Google Authenticator, Microsoft Authenticator, FreeOTP, Authy, Protectimus Smart OTP
Are there any major/common Multi-Factor Authentication apps we won't support?
So long as the application is using a time-based, one-time passcode it should work. However, some applications may perform better than others, and some may not work at all. If your users experience issues setting up or using their authentication app, you can reset their MFA sync and have them try again. If you still experience issues, have the user try a different authentication app.
How long does it take to enable Multi-factor Authentication for my end users?
Enabling multi-factor authentication system-wide can be done with the click of a single button. Once enabled, each user will need to synchronize their account with an authentication app the next time they log in. This synchronization process should only take a minute.
If I enable multi-factor authentication, can I revert if I change my mind?
Yes, multi-factor authentication can be disabled at any time.
If I enable MFA, do I also need to enable SSO?
No, both are independent. In fact, multi-factor authentication will not be enforced upon users who log in using single sign-on through a third-party identity provider. For these users, if multi-factor authentication is desired it needs to be enforced by the third-party identity provider itself.
Related Topics
Configure Single Sign-on (SSO)
Sign In With Multi-Factor Authentication (MFA)
