Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            End-user Authentication - Login Management

            Modified on Tue, 10 Mar at 6:17 PM

            Authentication


            Introduction


            Access to iPassport by the users registered in an account can be controlled in several ways to help you keep your data secure.

            • You can configure password complexity:
              • iPassport allows each account to customise their password complexity settings to force users to include a non-alphanumeric character, number or uppercase letter in their passwords. 
              • You can declare the number of failed login attempts you wish to allow and a lockout period.
            • And, the system will carefully manage it:
              • When a user is changing their password the system will notify them if their new password does not match the requirements.
              • After the password preferences have been changed, the system will also inform users when they log into the system if their password does not match the new requirements and will prompt them to update it.
            • You can set up Two-Factor Authentication (2FA) and use apps to produce the verification codes.
            • If you have a SAML single-sign-on service in your organisation, you can add iPassport to it.


            TABLE OF CONTENTS


            User Logon Setting


            Navigate to Administration -> Settings -> System Settings -> User Logon Settings.


            • ‘Block re-use of previous password’. Once checked ensures that a user can never use a password that they have previously used within iPassport.

            • ‘Lockout period (in minutes) after maximum failed consecutive logins reached’. If a ‘Maximum consecutive failed login before locking user account’ value is set then admin can define here the time period used to lock the user out, after they failed to login after maximum number of times, before allowing them to try again

            • ‘Login Strategy’ sets which strategy will be used to log users in. This applies to the whole account.

              • iPassport Login - this consists of a username and password as seen before.

              • 2-Factor Authentication Login

              • SAML/ADFS

            • ‘Maximum consecutive failed logins before locking user account’ admin can set how many consecutive failed logins a user can perform before being locked out of the system. If a Lockout period is set then the system will unlock the user’s account after this time has passed or admin can unlock the user.

            • ‘Minimum Password Length’ is used to configure the minimum number of characters in a user’s password.

            • ‘Password Expires after (days)’ is used to force users to change their passwords after a given number of days. Use 0 if the password should never expire.

            • ‘Password should include a non alphanumeric character’ forces the user’s password to contain at least one special character (@&<= etc).

            • ‘Password should include a number’ forces a user’s password to contain at least one number.

            • ‘Password should include an uppercase letter’ forces a user to have at least one uppercase letter in their password.


            Unlocking Users


            Note

            Permission required: User Accounts:Enable/Disable- Allow a user to enable and disable user accounts information on this feature.


            If the system has a locked out user, admin with permission above will be able to unlock the user by navigating to Administration -> Users -> Search Users and using the ‘Filter Locked/Not locked ’ set to ‘Locked’.



            To unlock a user click on ‘Locked Out (Click to Unlock)’ in the ‘Current Activity’ column. The system will ask if admin are sure they want to unlock the user, click ‘OK’ and a green banner will appear confirming the user is now unlocked.



            Two Factor Setting


            Two factor authentication allows an additional level of security to guard against password theft. When logging into iPassport, in addition to entering a username and password, users will be sent a code via email. Copy and paste this code into the field in order to access the system.


            When using two factor authentication admin can choose to use code validation each time a user logs in or use the additional code validation to check after a set number of days. For example, admin could ask their users to verify their identity using the email code once a week. The rest of the time they would login normally.


            To enable this feature, navigate to Administration -> Settings -> System Settings -> User Logon Settings -> Login Strategy dropdown field and select ‘2-Factor Authentication Login’.

            Navigate to Administration -> Settings -> System Settings -> Two Factor Settings.


            • ‘Max Attempts’ decides how many times user can incorrectly enter verification code before their account is locked.

            • ‘Remember Second Factor For (days)’ specifies the number of days before the user is asked to provide second factor code again. The user will not have to enter second factor code between logins for this number of days. Only their login and password will be required.

              Note
              If admin change this value the new settings will only take effect when the original period expires. For example, if this was set to 30 days then users will be asked to enter a second factor code once and then 30 days later and so on. If admin then change this value to 5 days, any user who has already entered a code will not be asked again for 30 days. The new 5 days period will take effect when they are next asked to enter a code. 


            • ‘Second Factor Code Length’ specifies the number of digits in the second factor code sent to a user.


            Configuring a 2-Factor Authenticator App


            For information on how to set up an authenticator app to produce verification codes, please refer to the section 'Configure 2-Factor Authenticator App' of the article Personal Preference Management - My Profile.


            SAML/ADFS


            What is SAML


            SAML is an authentication method that allows you to integrate your Single Sign-On solution with different Service Providers, for example iPassport. This lets you control who can and cannot log into your iPassport instance. In addition to this, your users only have to remember one password.


            Using SAML allows you to easily restrict access to the linked service when a member of staff leaves, as your IT will only have to disable their SAML account to stop the user from logging into iPassport.


            Warning

            Please Note: The user account in iPassport will not be set as disabled automatically and this will have to be done by your iPassport administrator, but the user will not be able to login once their SAML account is suspended.


            Identity Provider SAML Configuration Metadata


            If you want to start using SAML as your authentication method in iPassport, you will first need to configure your SSO solution to allow iPassport to authenticate users. Each iPassport customer has their own unique configuration and the easiest way to configure your Identity Provider is to upload the XML metadata file. The metadata can be found by entering the following URL in your browser:


            https://<YOUR ACCOUNT DOMAIN>.ipassportqms.com/user/auth/saml/metadata


            For example, if your account domain is tgh, then the link you will enter is:


            https://tgh.ipassportqms.com/user/auth/saml/metadata


            This URL is provided by the system in the 'SAML Overview' section at the top of the 'SAML Configuration' tab.

            Once your IT department configures the Identity Provider (IdP) you will be able to configure the iPassport side.


            Configure iPassport to use SAML


            Navigate to Administration > Settings > System Settings > SAML Configuration


            The SAML configuration page is organised into a guided, step-by-step setup.


            Step 1 — Authentication User Key


            The Authentication User Key tells iPassport which attribute to use when identifying the user from the SAML response. Select one of the following options:


            • Email Address (recommended) — matches users by their email address registered in iPassport.
            • Persistent NameID — matches users by the Unique User Identifier (UID) in their iPassport user profile.
            • Unspecified — matches users by UID (same as Persistent, but uses the unspecified name format).


            Warning
            Which option you choose will depend on how your IT have configured the IdP and which fields it will send to iPassport after a user is authenticated. Please consult this with your IT.


            Step 2 — SAML Server Configuration


            There are two ways to configure your SAML connection: Managed Mode (recommended) or Manual Mode.


            Option A: Managed Mode (Recommended)


            Managed Mode automatically keeps your SSO URL and signing certificates up to date by periodically refreshing them from your IdP metadata URL.


            1. Paste the Metadata URL — Enter the metadata URL provided by your IdP into the Metadata URL field. This must be an https:// URL.
            2. Validate — Click the Validate Metadata URL button. iPassport will fetch the metadata and verify it contains valid SAML configuration. You will see a success or error message.
            3. Enable Managed Mode — Once validation succeeds, toggle Managed Mode on. The SSO URL and signing certificates will now be automatically managed from the metadata.


            Note

            When Managed Mode is active, iPassport automatically refreshes the metadata daily. New certificates found in the metadata will appear as pending and require manual activation in the certificate list. The settings page shows the Last refresh timestamp and any errors from the most recent refresh.


            Option B: Manual Mode


            If your IdP does not provide a metadata URL, you can configure SAML manually:


            • SAML Server Address — Enter the SSO URL (the IP address or URL to your IdP server).
            • Add Manual Certificate — Click the Add Manual Certificate button and paste the X.509 PEM certificate provided by your IT team.
            • Upload Metadata XML — Alternatively, click Upload Metadata XML to upload an XML metadata file. This will prefill the SSO URL and certificates without enabling Managed Mode.


            Note

            When using Manual Mode, you are responsible for updating the SSO URL and certificates whenever your IdP changes them (e.g. during certificate rotation).


            Certificate Management


            Certificates are now displayed as individual cards, each showing:


            • SHA-256 fingerprint — a unique identifier for the certificate.
            • Status — Active (green), Inactive (grey), or Expired (red).
            • Valid from / Expires — the certificate validity period.
            • Source — how the certificate was added (Metadata URL, Uploaded XML, or Manually added).


            Each certificate has action buttons:


            • Activate — enable the certificate for use (cannot activate expired or not-yet-valid certificates).
            • Deactivate — disable the certificate (cannot deactivate the last active certificate when SSO is enabled).
            • Remove — delete the certificate (with confirmation dialog).


            A summary line shows the total number of certificates and how many are currently active.


            Allow Local Login (Lockout Prevention)


            When setting up or testing SAML, you can enable the Temporarily allow local login while testing SAML checkbox. This displays both the SSO button and the traditional username/password form on the login page, so you can test SSO without risking being locked out of iPassport.


            When enabled, a warning banner appears on both the settings page and the login page reminding you to disable local login once SSO is confirmed working.


            Warning

            Remember to disable the "Allow local login" option once you have confirmed SSO is working correctly. Leaving it enabled reduces the security benefit of single sign-on.


            Login Page


            When SAML is the login strategy, the login page displays a prominent Sign in with SAML (SSO) button. If Allow Local Login is also enabled, the traditional username/password form is shown alongside the SSO button.


            SSO Error Messages


            iPassport now provides specific error messages when SSO sign-in fails, to help you diagnose issues quickly:


            Error MessageWhat It Means
            SSO certificate has expiredThe signing certificate configured in iPassport has expired. Update it with the new certificate from your IdP.
            SSO certificate is missing or expiredNo valid active certificate is configured. Add or activate a certificate.
            SSO certificate does not matchThe certificate used by your IdP to sign the response does not match any active certificate in iPassport. Check that the correct certificate is configured.
            SSO issuer does not matchThe identity provider in the SAML response does not match the configured SSO URL. Verify your SAML Server Address or Metadata URL.
            SSO response is not valid yet / has expiredThere is a clock skew between your IdP and iPassport. Check system clocks on both sides.
            SSO response is missing the required user identifierThe SAML response did not include the expected attribute. Check the Authentication User Key setting matches your IdP configuration.
            SSO sign-in failedThe user could not be found in iPassport. Verify the Authentication User Key setting and ensure the user exists with a matching identifier.


            Admin Warnings


            When an administrator signs in with SAML enabled, iPassport may display warning banners if:


            • A signing certificate is expiring within 7 days.
            • The Metadata URL is not set (certificate updates will need to be done manually).
            • A signing certificate has been missing from the metadata for 7 days.


            The SAML settings page also shows contextual warnings when:


            • Certificates are expiring within 45 days.
            • New certificates from the metadata need activation.
            • Managed Mode is being disabled.


            Enabling SAML as the Login Strategy


            Once you have configured the SAML settings, navigate to Administration > Settings > System Settings > User Logon Settings.


            From the Login Strategy dropdown select the SAML/ADFS option and click Save.


            Warning

            When changing SAML settings, keep another session open (or use a second browser) so you can revert changes if sign-in fails. Alternatively, enable the "Allow local login" toggle before making changes.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0