Directory Settings

This document provides an overview of the OneIdP Directory Settings within the Scalefusion Dashboard. These settings allow you to configure various aspects of user authentication and management for domains associated with your OneIdP instance.

Pre-Requisite

1. Directory (OneIdP) should be configured on Scalefusion Dashboard.

Access Settings

To access Settings,

1. On Scalefusion Dashboard, navigate to OneIdP > Directory

2. Click on three dots under Actions, for the domain over which you have to configure Settings

3. Click on Settings
   

   

4. This will open a new dialog box.

The following are the settings you can configure:

A. User Management

1. Users in this domain have access to Email service: Enable this if users in this domain have access to e-mail service. This will be used to send enrollment invites and/or password reset emails.
   

2. Auto Migrate Users when users are imported from external Identity providers: Enable this to automatically import users matching this domain when they are imported from external identity providers.
   

3. Force Password Change on first time use: Enable this to force password change when they use the Directory account first time either for enrollment or any app access.
   

4. Force Password Change on password reset from Dashboard: Enable this to force password change when an admin resets their password from Dashboard.
   

   

B. Password Settings

Password management is one of the policies that comes along with user management. The goal is to let admins define a password complexity rules for each domain that they have added in Directory

It has the following sections:

1. Complexity: Here you can define how complex the password should be. You can choose a number, upper, lower-case character, special character, etc. The minimum password length is 8 and maximum is 16.

   1. Please note that is the option “Apply these settings when Admin resets password from Dashboard” is selected then the password complexity will be applied in following cases:

      1. When an Admin resets the password from the Scalefusion dashboard.

      2. When Admin is adding a new user from the dashboard.

   2. Allow sequential characters: If it is not selected, the user will not be able to use sequential characters for example, Pqr, or 345, etc.

   3. Allow repeated characters: If it is not selected, the user will not be able to use same characters repeatedly, for example, 111 or aaa, will be allowed however 1111 or aaaa will not be allowed.
      

      

2. Expiry & History: In this section, you can configure:

   1. Password Expiry Period: Set the number of days after which the password will expire. It should be between 0 and 365 days.

   2. Maximum Password History List: This determines how many previous passwords are remembered and prevented from being reused when a user changes their password. It should be between 0 and 12.

   3. Send reminder emails before: Select the number of days before which the password expiry email should go to the users.

   4. Logout the users from the SSO session on password expiry: This will invalidate the login sessions of the users from their devices.
      

      

3. Account Lockout: In the section you can configure:

   1. Number of failed attempts to lock account: Select the number of failed attempts after which the account will be locked.

   2. Unlock account after configured time (mins): Specify the time period after which the account will be unlocked following a lockout due to failed login attempts. Minimum is 10 minutes and Maximum is 60 minutes.
      

      

C. Password Reset (Password Self-Service)

IT admins frequently receive requests to reset user passwords, and as the number of users grows, so does the volume of these requests, increasing the burden on IT. The goal, therefore, is to enable users to reset their own passwords when forgotten, while also implementing logging to monitor and track these changes.

Note:

Please note that this feature is supported only for SSO configurations set up with Microsoft Entra, Google Workspace, or Google LDAP.

Prerequisites:

• Kindly ensure that the option to create and delete users is enabled under SSO Scope Management > Configure User Management in the SSO configuration.

Settings:

1. Navigate to OneIdP > Directory > click the 3 dots under Action for the concerned domain.

2. Click Settings.
   

   

3. Go to the Password Settings tab and scroll down to the Password Reset section.
   

   

4. To allow user to reset their passwords from the login page, enable the following options:

   1. Allow users to reset their password from login page

   2. Allow reset using OTP from Scalefusion managed device or 3rd party authenticator: Selecting this option allows users to enter an OTP generated by the Scalefusion Authenticator app on a managed device. If they are using a third-party authenticator app, they can enter the OTP generated by that app instead, and go ahead and reset the password.

   3. Allow reset using a recovery email if the user has configured a recovery email: If the user has configured a recovery email in the User Portal on their device, selecting this option will send an OTP to that email address, allowing the user to reset their password.

5. Click on Next to save the settings on the dashboard.

6. Password reset events can be viewed under Reports > OneIdP Activity. To see these events, apply the 'User Events' filter.

Setting Recovery email in User Portal

1. The user will log in to the User portal using their email ID and password.

2. Select My Profile to open the Account Details page, then click the Configure Recovery Email option.
   

   

3. The user will be prompted to enter the email ID they wish to set as the recovery email. Click Submit.
   

   

4. An OTP will be sent to the provided email ID, which the user must enter before clicking Confirm.
   

   

5. After completing this step, the recovery email will be displayed on the Account Details page in the User Portal.
   

   

User Experience

1. Allow reset using OTP from a Scalefusion-managed device or 3rd third-party authenticator.

   1. If the user has forgotten their password, they can click the Forgot Password option on the OneIdP login page.
      

      

   2. Next, they will have to enter their email ID and click Reset your password.
      

      

   3. They will see a screen to enter the OTP displayed either from a Scalefusion-managed device or 3rd third-party authenticator. Click Confirm.
      

      

   4. They will see a screen to Reset Password.
      

      

   5. They will be redirected to the sign-in page to log in with the new password.
      

      

      
      

      Note:

      Please note that if the device is offline or not connected to a stable internet connection, the user should reset the password by entering the OTP from a third-party authenticator app.

2. Allow resetting using a recovery email if the user has configured one.

   1. If the user has set a recovery email in the User Portal, they can use this option to reset the password.

   2. The user will enter their email ID on the OneIdP page and click Continue.
      

      

   3. In the next screen, click on the Forgot Password option.
      

      

   4. Enter your OneIdP email ID here again and click the Reset Your Password option.
      

      

   5. In the next screen, enter the recovery email and click Submit.
      

      

   6. Next, enter the OTP that is sent to the recovery email ID and click Submit.
      

      

   7. In the next screen, they can reset the password.
      

      

   8. They will be redirected to the sign-in page to log in with the new password.
      

      

D. Federated Authentication

OPC (On-Premise Connector) allows Scalefusion to authenticate users against your on-premises Active Directory (AD) environment. This means that users can sign in to Scalefusion using their existing AD credentials. This is also extended to OneIdP users to provide a more seamless and unified sign-in experience. In essence, extending OPC to OneIdP users allows for a more centralized and convenient authentication method within your organization.

Important Points to Note:

• Federated Authentication allows admins to select additional identity sources.

• For Federated Authentication, OPC integration should be done into your Scalefusion account.

• Federated Authentication settings are applicable only for custom domains

1. Configure an external LDAP source that will be used to authenticate users

   1. Enable Scalefusion OnPremise Connector as Authentication source: Enabling this will make Scalefusion OnPremise Connector as the authentication source (when configured). When the Scalefusion On-Premise Connector is configured and enabled as the authentication source, Scalefusion will use your on-premises Active Directory (AD) environment to authenticate users. This allows users to sign in to Scalefusion using their existing AD credentials instead of creating separate Scalefusion accounts.
      

   2. Set default authentication source: Set the default authentication source for users added or imported from external directories or CSV files. This will determine how these users will sign in to Scalefusion. Choose one from the drop-down:

      1. OneIdP (default)

      2. Scalefusion OnPremise Connector

         
         
         

E. Multi-factor Authentication

Multi-factor authentication policy allows you to secure access to your services when accessed from an unmanaged device. You can also enable MFA for Keycard based logins on managed devices. Any change in settings apply from the subsequent logins.

Note:

MFA with 3rd party authenticator app will not be enforced on managed device.

Select Multi-factor method

1. Enable MFA using third party authenticator app: Enable this to apply MFA and to prompt user to set up MFA using a third-party authenticator app like Google Authenticator or Microsoft Authenticator.
   

   1. Prompt for MFA setup on account activation: Enable this to prompt users when they activate their account by resetting their password for first time from Welcome email.

   2. Grace period for configuring MFA using Authenticator app: Configure how many times the user is able to login to assigned application without configure MFA with 3rd party authenticator. You can choose within the range 1-5 times. On the OneIdP login screen, user(s) can click on Skip for now to skip setting up the authenticator app.
      

2. Enable MFA using OTP sent on Email: An OTP will be sent to the user on their email address and they will see the field to enter the OTP. User(s) will also have the option to resend the OTP, if not received.

   1. If both options “Enable MFA using third party authenticator app” and “Enable MFA using OTP sent on Email” are selected, then on the OneIdP login screen Users will have to click on Try Another Method button and they will see the field to enter the OTP. User(s) will also have the option to resend the OTP, if not received.
      
      
      

3. Use MFA for Keycard based logins: Enable this to force users to verify using the OTP from 3rd party authenticator app when logging in to Windows or Mac device using Keycard. It is dependent on following:

   1. When Enable MFA using third party authenticator app is enabled.

   2. When Enable MFA using OTP sent on Email is enabled.

   3. When both are enabled.

Points to note

If MFA is enabled in SSO config and you try to uncheck the options "Enable MFA using third party authenticator app" and "Enable MFA using OTP sent on Email" in Directory, you will see the following message.