Directory Settings

This document provides an overview of the OneIdP Directory Settings within the Scalefusion Dashboard. These settings allow you to configure various aspects of user authentication and management for domains associated with your OneIdP instance.

Pre-Requisite

1. Directory (OneIdP) should be configured on Scalefusion Dashboard.

Access Settings

To access Settings,

1. On Scalefusion Dashboard, navigate to OneIdP > Directory

2. Click on three dots under Actions, for the domain over which you have to configure Settings

3. Click on Settings
   

4. This will open a new dialog

Following are the settings you can configure:

A. User Management

1. Users in this domain have access to Email service: Enable this if users in this domain have access to e-mail service. This will be used to send enrollment invites and/or password reset emails.
   

2. Auto Migrate Users when users are imported from external Identity providers: Enable this to automatically import users matching this domain when they are imported from external identity providers.
   

3. Force Password Change on first time use: Enable this to force password change when they use the Directory account first time either for enrollment or any app access.
   

4. Force Password Change on password reset from Dashboard: Enable this to force password change when an admin resets their password from Dashboard.
   

B. Password Settings

Password management is one of the policies that comes along with user management. The goal is to let admins define a password complexity rules for each domain that they have added in Directory

It has the following sections:

1. Complexity: Here you can define how complex the password should be. You can choose a number, upper, lower-case character, special character, etc. The minimum password length is 8 and maximum is 16.

   1. Please note that is the option “Apply these settings when Admin resets password from Dashboard” is selected then the password complexity will be applied in following cases:

      1. When an Admin resets the password from the Scalefusion dashboard.

      2. When Admin is adding a new user from the dashboard.

   2. Allow sequential characters: If it is not selected, the user will not be able to use sequential characters for example, Pqr, or 345, etc.

   3. Allow repeated characters: If it is not selected, the user will not be able to use same characters repeatedly, for example, 111 or aaa, will be allowed however 1111 or aaaa will not be allowed.
      

2. Expiry & History: In the section you can configure:

   1. Password Expiry Period: Set number of days after which the password will expire. It should be between 0-365 days.

   2. Maximum Password History List: This determines how many previous passwords are remembered and prevented from being reused when a user changes their password. It should be between 0-12.

   3. Send reminder emails before: Select the number of days before which the password expiry email should go to the users.

   4. Logout the users from the SSO session on password expiry: This will invalidate the login sessions of the users from their devices.
      

3. Account Lockout: In the section you can configure:

   1. Number of failed attempts to lock account: Select the number of failed attempts after which the account will be locked.

   2. Unlock account after configured time (mins): Specify the time period after which the account will be unlocked following a lockout due to failed login attempts. Minimum is 10 minutes and Maximum is 60 minutes.
      

C. Federated Authentication

OPC (On-Premise Connector) allows Scalefusion to authenticate users against your on-premises Active Directory (AD) environment. This means that users can sign in to Scalefusion using their existing AD credentials. This is also extended to OneIdP users to provide a more seamless and unified sign-in experience. In essence, extending OPC to OneIdP users allows for a more centralized and convenient authentication method within your organization.

Important Points to Note:

• Federated Authentication allows admins to select additional identity sources.

• For Federated Authentication, OPC integration should be done into your Scalefusion account.

• Federated Authentication settings are applicable only for custom domains

1. Configure an external LDAP source that will be used to authenticate users

   1. Enable Scalefusion OnPremise Connector as Authentication source: Enabling this will make Scalefusion OnPremise Connector as the authentication source (when configured). When the Scalefusion On-Premise Connector is configured and enabled as the authentication source, Scalefusion will use your on-premises Active Directory (AD) environment to authenticate users. This allows users to sign in to Scalefusion using their existing AD credentials instead of creating separate Scalefusion accounts.
      

   2. Set default authentication source: Set the default authentication source for users added or imported from external directories or CSV files. This will determine how these users will sign in to Scalefusion. Choose one from the drop-down:

      1. OneIdP (default)

      2. Scalefusion OnPremise Connector

         
         
         

D. Multi-factor Authentication

Multi-factor authentication policy allows you to secure access to your services when accessed from an unmanaged device. You can also enable MFA for Keycard based logins on managed devices. Any change in settings apply from the subsequent logins.

Note:

MFA with 3rd party authenticator app will not be enforced on managed device.

Select Multi-factor method

1. Enable MFA using third party authenticator app: Enable this to apply MFA and to prompt user to set up MFA using a third-party authenticator app like Google Authenticator or Microsoft Authenticator.
   

   1. Prompt for MFA setup on account activation: Enable this to prompt users when they activate their account by resetting their password for first time from Welcome email.

   2. Grace period for configuring MFA using Authenticator app: Configure how many times the user is able to login to assigned application without configure MFA with 3rd party authenticator. You can choose within the range 1-5 times. On the OneIdP login screen, user(s) can click on Skip for now to skip setting up the authenticator app.
      

2. Enable MFA using OTP sent on Email: An OTP will be sent to the user on their email address and they will see the field to enter the OTP. User(s) will also have the option to resend the OTP, if not received.

   1. If both options “Enable MFA using third party authenticator app” and “Enable MFA using OTP sent on Email” are selected, then on the OneIdP login screen Users will have to click on Try Another Method button and they will see the field to enter the OTP. User(s) will also have the option to resend the OTP, if not received.
      
      
      

3. Use MFA for Keycard based logins: Enable this to force users to verify using the OTP from 3rd party authenticator app when logging in to Windows or Mac device using Keycard. It is dependent on following:

   1. When Enable MFA using third party authenticator app is enabled.

   2. When Enable MFA using OTP sent on Email is enabled.

   3. When both are enabled.

Points to note

If MFA is enabled in SSO config and you try to uncheck the options "Enable MFA using third party authenticator app" and "Enable MFA using OTP sent on Email" in Directory, you will see the following message.