SSO General Settings

Introduction

Setting up Single Sign-On (SSO) can vary depending on the protocol, but there are several core settings that remain consistent across both SAML and OIDC configurations. In this article, we’ll explore the common foundational elements of SSO setups, helping you streamline integration regardless of the protocol you choose.

Sign-In Overrides during SSO experience

Configure additional sign-in overrides to allow users to sign in with alternate user and/or device verification mechanisms.

Allow access based on OTP sent on registered mobile number

If OTP-based access is enabled for any SSO application, activate this setting to allow users to receive an OTP on the phone number specified in the User Enrollment section before setting up an authenticator app or enrolling a managed device.

Prerequisites

1. Phone number is added for the users in the User Enrollment section.
   

   

2. In the Directory settings, navigate to the relevant domain settings and enable “MFA using a third-party authenticator app” under the Multi-factor Authentication section.
   

   

3. The SMS service provider details—Twilio, in this case—must be configured under Utilities > Global Settings > General Settings > SMS Service Provider Settings.
   

   

4. Please ensure that “Allow users to access by setting up MFA using third party authenticator app or OTP sent on email.” option is selected in the concerned SSO Configuration, under Conditional Access Settings.
   

   

   
   

Settings

1. Navigate to OneIdP > SSO Configurations > click General Settings.

2. Select the option “Allow access based on OTP sent on registered mobile number” under Sign-In Overrides during SSO experience.

   1. Select “Number of times user can request OTP before requiring to setup Authenticator or managing the device” to set a value of how many times a user can request for an OTP. You can set the value between 0 and 20.

3. Click Save.

Note:

If the user exceeds the allowed number of OTP requests, they will be prompted to set up a third-party authenticator instead.

User Experience

1. When a user attempts to access an application or service from an unmanaged device, they will be redirected to the OneIdP login screen, where they must enter their email ID and password.
   

   

2. They will see the following screen. Click Complete Sign in.
   

   

3. Scalefusion will perform a compliance check, after which users will be presented with the following screen.
   

   

4. Click Send SMS on Phone Number.
   

   

5. The user must enter the correct registered phone number along with the appropriate country code to receive the OTP.
   

   

6. At this step, the user must enter the OTP received on their registered phone number.
   

   

7. Once done, they will be able to log in.