> Clumio user guide > Administer > Access management

Authentication

You can use Single Sign-On (SSO) and Multi-Factor Authentication (MFA) for an additional layer of security to augment usernames and passwords.

Single sign-on (SSO)

Activate SSO to enable all Clumio users to log in to Clumio using one set of credentials. SSO can be either service provider (SP) initiated, or identity provider (IdP) initiated. Clumio acts as a service provider (SP) that establishes a trust relationship with your Security Assertion Markup Language Identity Provider (SAML IdP) to authenticate administrators and other users of Clumio.

Service provider initiated SSO

With service provider initiated (SP-initiated) SSO, users log in to applications directly using their corporate credentials. Users are redirected to the IdP login page (if they are not already logged into the IdP), then they are logged in to the application.

Clumio supports SP-initiated SSO. As an administrator, Clumio SSO allows you do the following:

  • Manage access for users from a centralized identity provider portal.

  • Use your corporate credentials to securely log into the Clumio UI.

  • Enforce corporate password policies within your identity provider portal without having to administer them separately for Clumio.

Identity provider initiated SSO

With identity provider initiated (IdP-Initiated) SSO, users log in to their IdP’s SSO page and select the application to access it. Clumio supports SSO through SAML2.0 protocol, so any Identity Provider that has been implemented per the SAML2.0 specification can be onboarded with Clumio*. For instructions to configure SSO or MFA with different Identity Providers, see Administer Clumio.

* Limitations may apply.

To set up SSO within Clumio, complete the information in the Authentication section, and upload the SAML metadata file, if available, from your IdP application. Clumio generates a service provider metadata file, which you add to your IdP application. This process allows the two applications to exchange information.

Configure SSO

To configure Clumio as a service provider application in your SAML IdP, do the following:

  1. Go to Administration > Access Management > Authentication and then select Single Sign-on.

  2. Complete the following fields in the Identity Provider (IdP) Details section:

    • Name: Select the name of your IdP. If the IdP is not listed, select Other and then enter the name in the text field.

    • Metadata File: Select one of the following options:

    • Metadata URL: provide a public URL from where Clumio can download the XML file with the metadata. This file is accessed each time there is an SS handshake between Clumio and the IdP, if the file URl is not accessible, the login fails.

    • Metadata file upload: Upload the SAML metadata file from your IdP:

    • Manual configuration: You must provide the following information from your IdP:

      • Single sign on issuer: The identity provider's unique entity ID

      • SSO URL: The URL to which a user is redirected when they sign in to Clumio

      • Public key certificate: The IdP's X.509 certificate

    • Attribute Type: Enter the email that you used during the Clumio registration.

  3. Click Test with my account to test the SSO configuration using the email ID provided. The test is based on the values entered in the IdP Details section. If there are any issues, an error message appears.

  4. Click the Activate SSO toggle to enable (blue) or disable (gray) SSO.

If SSO is enabled for an organization, Clumio sends a confirmation email to the users in the System. If SSO is disabled, Clumio sends a notification email, and users need to reset their password to access their Clumio account. This only applies if a user is invited after SSO is enabled. If a user existed in Clumio before SSO is enabled, then their old password will continue to work.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) may be useful if you are not working in an SSO environment.

Deploying the optional MFA feature, you can configure a time-based one-time password (TOTP) using the provider of your choice that generates a code for Clumio user authentication. When MFA is enabled for all users, Clumio prompts each user to enter the additional code after signing in with their username and password. The QR code does not expire.

You can only activate MFA using a smartphone with an MFA application. Clumio only supports authentication applications that are in compliance with protocol RFC 6238 that generate a TOTP algorithm. Examples include Google Authenticate, Okta Verify, and Microsoft Authenticator.

Before you can set up MFA for Clumio, make sure the MFA is installed on your device.

If you need to reset MFA on your device, reach out to Clumio Support at support@clumio.com.

Activate MFA login on your device

  1. Verify that the MFA application is installed on your device.

  2. Go to Administration > Access Management > Authentication, and then select Multi-Factor Authentication (MFA).

  3. Click Show QR Code, and then scan the QR code with the MFA application on your smartphone.

  4. Enter the generated code. The code is automatically saved, and a Setup Successful confirmation message appears.

  5. To activate MFA for all users, click the Activate MFA for all toggle to enable (blue) or disable (gray) MFA.

    A confirmation message appears.

  6. Click Proceed.

  7. Click Save Changes.

Log in with MFA

To log in with MFA, do the following:

  1. Go to the Clumio login page, enter your email in the Registered Email Account field, and then click Next.

  2. Select the organization that you want to log into from the Select Organization list.

  3. Enter your password and then click Login.

    You will be prompted to enter a six digit authentication code.

  4. Get the code from the authentication app on your smartphone. If you have not already authenticated with your app, use your app to scan the QR code shown on the login screen.

  5. Enter the code and then click Verify Code.

    You are now logged on to Clumio.

×

Loading...