This guide covers how users can sign in and the webmaster options available to control the experience. There are various ways of authenticating users and controlling who can access your intranet – this will be covered below.
How users can authenticate
Users can authenticate through the following methods:
- Email and password
- Both of the above
Authenticating via SSO improves UX as users can quickly access the site in a secure way. SSO can be seamless provided the user has a federated identity (such as those on an internal network). Otherwise, anyone who cannot obtain a federated identity can still authenticate via SSO as long as they can sign into their identity provider and Invotra is connected with that identity provider. For more information on connecting Invotra to an identity provider, see Connecting Invotra with an identity provider.
If a user cannot be authenticated via SSO, for example, the user account is not connected to an identity provider, then the user has the option to sign in with their email and password. The fields are only allowed as long as Enable manual login is selected under the Authentication settings. If none of your users are expected to sign in with email or password, it’s recommended to hide the sign in options to avoid confusion for users.
Invotra allows automatic generation and communication of temporary passwords for new accounts logging in with email and password. When a new account is created and the option to notify the user of the new account is selected, a password is emailed to the user. Users must enter the temporary password and then immediately choose their own password to authenticate.
A temporary password can also be created by a webmaster creating the user individually from user management, however, the webmaster must be able to communicate this password independently.
Note: if a temporary password is not sent to a user who cannot authenticate via SSO, the user will not be able to access the site.
Invotra supports MFA (multi-factor authentication) via SMS.
MFA produces an additional step during the authentication process to verify the user is who they are, significantly reducing the risk of a malicious attacker attempting to access the account.
Enabling multi-factor authentication
A webmaster can enable or disable multi-factor authentication from the Authentication page from Invotra admin. This is a global setting which affects all users logging in with email and password. Users who authenticate via SSO will bypass the multi-factor authentication within Invotra, however, the identity provider being used may have their own MFA (multi-factor authentication) solution.
Authenticating with multi-factor authentication
While multi-factor authentication is enabled, when a user enters a valid email and password combination, a code will be sent via SMS. The user will need to enter the code within 3 minutes to complete authentication and access the intranet.
Note: ensure that users have a mobile phone number for their Invotra account before enabling MFA.
The sign out options are dependant on the ALB being accessed. For users accessing from an internal network, the sign-out option is hidden to avoid infinite loops as seamless SSO is possible.
For external networks, the sign out option is available from within the user profile menu. Webmasters can configure the sign out button to additionally sign the user out of their identity provider. The main use case for this is to make access from public computers more secure by making sure anyone else cannot automatically sign in with SSO. To achieve this:
- Edit the IdP from within the Authentication page
- Select the Single sign out option
When this is set up, provided the identity provider allows it, when a user signs out from Invotra they will also sign out from their identity provider.
Recovering an account
Users can recover their account if they have forgotten their password. In order to recover a password:
- Go to the sign in screen
- Select “Forgot your password?” link
- Enter the email to the account and submit form
A code will be sent to the email address entered, to recover the account the user must enter the code contained within the email into the field provided on the sign in screen.
After a valid code is entered, the user is prompted to add a new password, after which the user will be able to access the site.
Allowing blocked users to authenticate
The purpose of blocking a user is to prevent that user from authenticating into the site. While a user is blocked they will not be able to authenticate into the system through any method.
In some circumstances, it may be appropriate to block a user if that user will not be authenticating for a long period of time, but want to unblock them if they could authenticate via SSO otherwise. In order to achieve this, the webmaster can select Unblock users on successful SSO from the Authentication settings. When this is checked, any users successfully authenticate via SSO will be able to access the site regardless of their status. If the user is blocked their status will be changed to active.