This covers how users log in and the webmaster options that control the experience. There are various ways of authenticating users and controlling who can access your site.
How users can authenticate
Users can authenticate through the following methods:
- Email and password
- Both of the above
Authenticating via SSO improves user experience (UX) as users can quickly access the site in a secure way. SSO can be seamless, provided the user has a federated identity (such as those on an internal network).
Users without a federated identity can still authenticate via SSO, as long as they can log into their identity provider and Invotra is connected with that identity provider. For more information on connecting Invotra to an identity provider, see connecting Invotra with an identity provider.
If a user cannot be authenticated via SSO, for example, the user account is not connected to an identity provider, then the user has the option to log in with their email and password.
These fields are only allowed when ‘Enable manual login’ is selected in Authentication settings. If your users are not expected to log in with email or password, it’s recommended to hide these options and avoid confusion.
Invotra can automatically generate and send temporary passwords for new accounts logging in with email and password.
When a new account is created and you opt to notify the user of the new account, a password is emailed to the user. Users must enter the temporary password and then immediately create their own password to authenticate.
A temporary password can also be created by a webmaster creating the user manually from user management in administration, however, the webmaster must be able to communicate this password directly.
If a temporary password is not sent to a user who cannot authenticate via SSO, the user will not be able to access the site.
Invotra supports multi-factor authentication (MFA) via SMS.
MFA produces an additional step during the authentication process to verify the user, significantly reducing the risk of a malicious attacker attempting to access the account.
Enabling multi-factor authentication
A webmaster can enable or disable multi-factor authentication from the authentication page in administration.
This is a global setting and affects all users logging in with email and password. Users who authenticate via SSO will bypass the multi-factor authentication, however, the identity provider being used may have their own MFA (multi-factor authentication) solution.
Authenticating with multi-factor authentication
With multi-factor authentication enabled, a user enters a valid email and password combination and a code is sent via SMS. The user will need to enter the code within 3 minutes to complete authentication and access the site.
You must ensure users have a mobile phone number added to their account before enabling MFA.
The log out options are dependant on the ALB being accessed. For users accessing from an internal network, the log out option is hidden to avoid infinite loops as seamless SSO is possible.
For external networks, the log out option is available from within the user profile menu. Webmasters can configure the log out button to additionally log the user out of their identity provider.
The main reason for doing this is to make access from public computers more secure by making sure anyone else cannot automatically log in with SSO.
To achieve this:
- Edit the IdP from within the Authentication page
- Select the single sign out option
When this is set up, provided the identity provider allows it, when a user signs out from Invotra they will also sign out from their identity provider.
Recovering an account
Users can recover their account if they have forgotten their password. In order to recover a password:
- Go to the log in screen
- Select “Forgot your password?”
- Enter the email to the account and submit form
A code will be sent to the email address. To recover the account, the user must enter the code into the field provided on the log in screen.
After a valid code is entered, the user is prompted to add a new password, after which the user will be able to access the site.
Allowing blocked users to authenticate
The purpose of blocking a user is to prevent them from authenticating into the site. While a user is blocked they will not be able to authenticate into the system through any method.
In some circumstances, you may want to block a user if they will not be authenticating for a long period of time but want to unblock them if they could authenticate via SSO otherwise.
In order to achieve this, the webmaster can check ‘Unblock’ users on successful SSO from the authentication page in administration.
When this is checked, any users successfully authenticating via SSO will be able to access the site regardless of their status. If the user is blocked their status will be changed to active.