Access Control

Access Control settings section enables you to configure security related aspects of Identity and Access Management module.

In this article, you can find instructions on:

  • Password settings - To define the strength of user’s passwords
  • IP allow-listing - To define the list of IP addresses from which users can log in to your business profile
  • Two-factor authentication - To force users added to your business profile to confirm their credentials through a mobile authentication app
  • Domain management - It is required if you want to have greater capabilities to manage users (registerd within the verified domain) in your business profile
  • Single sign-on - To allow users to authenticate once with your IdP and then access Synerise or other enabled Service Providers, without the necessity to authenticate with each of those applications separately.
List of access control features
List of the Access Control features

Prerequisites


  • You must be granted a set of permissions that allow access to Settings and editing within this module.
  • For Two factor authentication: Download any Time-Based One Time Password (TOTP) authentication mobile app (applies to all users of a business profile in which this type of authentication is enforced).
  • For Managed domains: You must have access to domain management or to the root folder in the hosting behind the domain.
  • For Single Sign-on:
    • You must verify the ownership of at least one domain (could be more if needed).
    • Create a backup user that won’t be using the same email address in the Identity Provider account. This is not required if you start with the Allow signing in with both methods authentication mode (explained here).
    • You must be granted user permissions to access Settings and configure Identity provider.
    • You must have access to Identity Provider’s admin panel to configure SAML application.
Note:
You will need the data from the Identity Provider. For details on using the IdP’s application, refer to the IdP’s documentation

Configuring password policy


This section provides a possibility to define the password policy for a business profile. The policy defined in this section is used the Change password section in the Account Security section.

If a user belongs to more than one business profile, the system selects here the strongest password policy among the business profiles a user is assigned to.

Password policy
Example of a password policy
  1. Go to Settings icon Settings > Access Control.
  2. In the Password settings section, click Show.
  3. In the Length section, to define the minimum and maximum number of characters in a password, use the slider.
  4. In the Characters section:
    1. To require uppercase character in a password, switch the Uppercases (A-Z) toggle on and enter the number.
    2. To require lowercase characters in a password, switch the Lowercases (a-z) toggle on and enter the number.
    3. To require numbers in a password, switch the Numbers (0-9) toggle on and enter the number.
    4. To require special characters in a password, switch the Symbols (0-9) toggle on and enter the number. The allowed special characters are: !"#$%&'()*+,-./:;<=>?@[\]^_{|}~
  5. In the Login and validity rules:
    1. To define if and when a password expires, switch the Password expires after (days) toggle on and enter the number.
    2. To define when an account is blocked due to the password expiration, switch the Account block after (days) toggle on and enter the number.
      When an account is blocked due to this setting, the user must reset a password.
    3. To force variety of passwords, switch the Password should be different then X lasts toggle on and enter the number of previous passwords that cannot be used as a new password.
    4. To define the number of unsuccessful logins that temporarily blocks an account, switch the Attempts to login before block account toggle on and enter the number.
    5. To define the time after which an inactive user is logged out, switch the Logout after x seconds of being idle toggle on and enter the number.
  6. Confirm the changes by clicking Apply in the upper-right corner of the section (you may need to scroll up).

IP allow-listing


IP allow-listing lets users define the IP addresses allowed to access a business profile in Synerise. Next to two factor authentication and password policy, it’s an option that strengthens security of the business profile and restricts the access to those users whose credentials are executed from the approved location.

Within this option, the users can define:

  1. The list of allowed IP addresses
  2. Access to a business profile for Synerise subnets
Configuration of IP allow-listing
Configuration of IP allow-listing
  1. Go to Settings icon Settings > Access Control.
  2. In the Security section, next to IP allow-listing, click Show.
  3. In Give access to selected IP addresses section, the Allow selected IP toggle is off by default (users can access a business profile from various IP addresses). To define the list of IP addresses only from which users can access the business profile, switch the toggle on.
    Result: A text field appears.
  4. In the text field enter an IP address.
  5. Confirm by clicking Add address.
  6. To add more addresses, repeat steps 4 and 5.
  7. Optionally, you can manage access to your business profile by Synerise subnets for support reasons. This option is on by default.
    WARNING:
    Remember that after confirming the list of allowed IP addresses, the users who access the business profile from other addresses than specified will lose access.
  8. To confirm all settings, click Apply.

Two-factor authentication (2FA)


This type of authentication requires a user to log in to the Synerise application with extra credentials. Apart from the standard ones such as login (an email address) and password, a user must use a code generated by an authentication application on their device (a mobile phone). It increases security by preventing unwanted users from accessing a business profile.

Enforcing 2FA for a business profile

This procedure describes enabling and disabling 2FA for a business profile. As a result, every user of the business profile must log in with the security code apart from standard credentials.

WARNING:
After 2FA is enforced in a business profile, users without the authentication app cannot access the business profile.
Access Control section
The Access Control section
  1. Go to Settings icon Settings > Access Control.
  2. In the Two-factor authentication section, to enforce this type of authentication, click Enable.

Disabling 2FA for a business profile

  1. Go to Settings icon Settings > Access Control.
  2. In the Two-factor authentication section, to switch off this type of authentication, click Disable.
  3. Enter the backup code (it was generated when you enabled the two factor authentication).
  4. Confirm by clicking Disable.

Enforcing 2FA for a single user

Find the procedure under this link.

Managed domains


The Managed domains feature facilitates the process of domain verification, which is necessary to prove ownership of a given domain and user accounts that are or will be registered with that domain. After a successful domain verification, Synerise will assign that domain to your profile, automatically link the user accounts under that domain with your profile and, as a result of the process, enable central management of user accounts in your profile.

Note:
You may verify more than one domain, if required.

Example Let’s assume you are the owner of example.org domain and your users have accounts such as john.doe@example.org and jane.doe@example.org. After you verify the ownership of the example.com domain, all users with the email addresses within the @example.org domain will be managed in your business profile and you will have full rights to manage their accounts (see Benefits below for details). Users from other domains can be invited to the business profile as Guests and you will be able to remove their access to the profile, but nothing else.

However, the Guest accounts will still be forced to:

The domain verification can be done in two ways:

  1. Verifying a domain through adding a TXT entry to the DNS
  2. Verifying a domain through uploading an HTML file to your web server (HTTPS)

Benefits

Once verified, a managed domain will let you perform the following actions on accounts from that domain:

Verifying domains by adding a TXT entry to the DNS

This verification method involves copying a TXT record and adding it to your DNS. After a positive domain verification, your DNS host will be checked for the added TXT record.

If it’s missing, you will be notified about the detected lack of the TXT record. As a consequence, the domain will remain unverified and wait for you to verify the ownership.

DNS entry verification
DNS entry verification

In order to verify your domain ownership through a DNS entry:

  1. Go to Settings icon Settings > Access Control.
  2. In the Manage domain section, click Show.
  3. Click Verify domain.
    Result: A pop-up appears.
  4. On the pop-up, select DNS.
  5. Copy the verification code.
  6. Go to your DNS host and add a new TXT record with the previously copied code (exemplary code: synerise-domain-verification=d0b010a9-01de-4cba-af05-dffcf5c6beb3):
    • Record type: TXT
    • Alias/Host/Name: leave it blank or enter @ (depending on your provider)
    • Time to live: leave it at default
  7. In the Domain name field, enter the name of the domain, for example, synerise.com, test.com, and so on.
  8. Confirm by clicking Verify.
    WARNING:
    DNS changes may take up to 24 hours to update depending on your DNS host. You may need to wait before your domains are verified.
    Result: Your domain is verified. User accounts with the verified domain become manageable in the business profile in Settings icon Settings > Users.
Verified domain
A verified domain

Verifying domains by uploading an HTML file to your web server (HTTPS)

This method involves uploading an HTML file (which you can download from Synerise) to your web server. For security reasons, the system periodically checks the file. If it’s not in the root folder, the domain will not maintain its verified status.

Before you use this method, make sure that:

  • You use HTTPS protocol (this is mandatory).
  • You have an SSL certificate, as self-signed certificates won’t work.
HTTPS entry verification
HTTPS entry verification

In order to verify your domain ownership by using an HTML file:

  1. Go to Settings icon Settings > Access Control.
  2. In the Manage domain section, click Show.
  3. Click Verify domain.
    Result: A pop-up appears.
  4. On the pop-up, select HTTPS.
  5. Download the verification file.
  6. Upload it to the root folder of your domain’s website.
  7. In the Domain name field, enter the name of the domain, for example, synerise.com, test.com, and so on.
  8. Confirm by clicking Verify.

Result: Your domain is verified. User accounts with the verified domain become manageable in the business profile in Settings icon Settings > Users.

Verified domain
A verified domain

Deleting a verified domain

To remove a verified domain, click Remove next to the domain and verify that you want to remove it.

When you remove a domain from your list of verified domains, the users with that domain can no longer be managed.

Single Sign-on


The Single Sign-On feature allows you to integrate a third party Identity Provider and enable single sign-on (SSO). SSO allows a user to authenticate once with your IdP and then access Synerise or other enabled Service Providers, without the necessity to authenticate with each of those applications separately.

Synerise provides Security Assertion Markup Language (SAML) based single sign-on where you can integrate with any Identity Provider (IdP) that uses SAML 2.0 protocol, which is a widely-accepted standard for exchanging authentication and authorization data between Synerise and Identity Providers such as Microsoft Azure, Google Workspaces, Okta, and more.

Tip:
We prepared an instruction for implementing single sign-on with Azure AD. Read more here.

Understanding SAML-based SSO

In order to understand how SAML-based single sign-on works, take a look at the diagram below.

SAML-based SSO
SAML-based SSO

Step 1. As a user, you attempt to access app.synerise.com (Service Provider) that normally requires login credentials to access it. Assuming you have configured SAML for your profile, it leads you to the Identity Provider (Step 2).

Step 2. Based on the provided user ID (e-mail), the Service Provider redirects the user to Identity Provider’s SSO Endpoint with a SAML authentication request (that has been built based on the configuration set for your Identity Provider in app.synerise.com).

Step 3. Identity Provider validates SAML authentication request received from the Service Provider and presents a user with the IdP’s login form (please note that it may be a password-less authentication for some identity providers, like for example Microsoft Azure)

Important:
The user may not be presented with the login form if there was already a valid session established previously, and the user is redirected to the application immediately (for example, with a different application using that Identity Provider).

Step 4. The Identity Provider generates a SAML response.

Step 5. The SAML response is passed from the user’s browser to the Service Provider’s redirect URI.

Step 6. The Service Provider validates the authenticity and integrity of the response and upon success, it issues access token/cookie, and as a result, the user is signed in to app.synerise.com

Benefits

  • Centralized user management - With the identity provider, you get to administer users from one central place in your organization.

  • Increased security - The benefit of a single user account in many applications helps to maintain a single identity and credentials, so users don’t have to remember too many credentials. Authentication takes place only with the identity provider, with a single set of security-related policies regardless of the application.

  • Improved user experience - Your users only need to sign in once to use multiple applications. This approach ensures faster authentication, saves time and relieves users from remembering multiple credentials.

Good practices

  • Remember to have a strong password policy, two-factor authentication, and other security policies configured with your Identity Provider as the ones available in Synerise won’t apply to regular users.

  • Configure password requirements or two-factor authentication for your business profile in Synerise, as it will be enforced for the Guest accounts (users that are not managed by you).

Configuration parameters explanation

Important:
The nomenclature of inputs in Synerise and identity provider service or documentation may not overlap.
Configuration parameter Description

General settings

Authentication mode There are three option to choose from:

- Allow signing in with in-built account only - It allows to sign in only users who have account in Synerise (logging in with an email address and password).

- Allow signing in with Identity provider account only - It allows to sign in only those users who have account in the service of the identity provider. It disables signing in with the Synerise credentials and enforces authentication through your Identity Provider credentials and enforce authentication through your Identity Provider.

- Allow signing in with both methods - It allows to sign in through two methods simultaneously: either with Synerise credentials or through Identity provider account.

In the beginning when you’re testing the identity provider authorization, we recommend to enable two options of authorization.
Sign-in button label
The text in this field is displayed on the button to your users.
Exemplary identity provider log in button
Exemplary identity provider log in button

Authentication settings

Managed domains In this field, select the domains (used in the user's accounts) for which the identity provider authorization is available. The list includes only verified domains (learn how to verify a domain). This option is available only to the verified domains for the security reasons.
Use Attribute containing email address instead of Subject Identity provider is required to pass the identity attribute of a user who wants to log in to Synerise. This identity attribute is an email address. Each identity provider chooses their own way of passing this attribute. If the identity provider passes a user's email address in other attribute than `subject`, enable this option.
Identity provider email attribute Available when the **Use Attribute containing email address instead of Subject** toggle is switched on. Enter the URL of the email attribute. You can find information where to find it in the identity provider's documentation. An exemplary attribute which contains an email address, returned in an authorization response from the identity provider: <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”> <AttributeValue>john.doe@example.org</AttributeValue>

Just-in-Time Provisioning

Update user roles on sign-in Configure the method of updating user permissions (it's useful in situations when user permissions are modified between log-ins both in Synerise and Identity Provider portal):

- Full sync - This setting allows you to always enforce user roles based on group or role claims from SAML response provided by your Identity Provider. Whenever a user authenticates, Synerise overwrites the permissions with the ones sent by the IdP. Consider that as 'replace'.

- Add missing - When this option is selected, user roles will only be added to the ones that are missing for a user's account, but it won't modify any extra roles that you might have added directly in Synerise.

- No - If you choose this option, authentication response won't overwrite user roles and they can only be assigned/modified directly in Synerise
Unsuspend users This option unblocks users (who blocked themselves by entering a wrong password several times, for example) after the authorization through identity provider. It's particularly useful for Allow signing in with both methods authentication mode.
Dynamic role assignment You can set different user roles for various user groups from the identity provider service. To do so, you must enter the URL of the group attribute, then enter the ID of the group and select a user role. The opposite method is the static role assignment (see next table row), which involves assigning the same user role for everyone authorizing through an identity provider.
Roles It must be filled in if, when the Dynamic role assignment is disabled. Select a user role assigned to every user who authorizes through an identity provider.

SAML protocol settings

Identity provider Entity ID You can find it in the identity provider's portal or documentation. Expected value type: URL.
SSO endpoint (https) You can find it in the identity provider's portal or documentation. It may be the same as in Identity provider Entity ID. Expected value type: URL.
Identity provider application ID You can find it in the identity provider's portal. Expected value type: string.
Service provider redirect URI This field is always filled in by default. It's useful while registering the Synerise application in your identity provider service.
Request Signature To increase security, you can require a SAML signature for authorization requests by enabling this option.
Request binding Define how the requestors and responders communicate by exchanging messages.
Request signature algorithm Select the key Synerise uses to sign the request. Currently unused.
Response signature verification You can define where the SAML signature is available.
Response signature algorithm Define the algorithm the identity provider used to sign the response. This field is not required because Synerise receives the identity provider certificate that contains the response key used by the identity provider.
IdP signature certificate Upload the file that contains the identity provider certificate which is used to validate the response. It's available either in the identity provider's portal or in their documentation.
Max clock skew Define the acceptable time of discrepancy between issuing the authorization by the identity provider and receving it by Synerise.

Make log-in screen modifications

SAML-based SSO
The general settings section
  1. Go to Settings icon Settings > Access Control > Identity Providers.
  2. To define the available login methods and the text on the button:
    1. From the Authentication mode dropdown list, select one of the available modes:
      • Allow signing in with in-built account only - Users can only log in with an email address and password.
      • Allow signing in with Identity Provider account only - User can only log in through the identity provider.
      • Allow signing in with both methods - Users can log in with those two methods.
    2. In the Sign-in button label field, enter the text that is displayed on the button in the Synerise log-in window for the identity provider authentication method.

Define authentication settings

SAML-based SSO
The authentication settings section
  1. To define the domains for which this authentication method is enabled and how the email attribute is passed to Synerise, in the Authentication settings section:
    1. In the Managed domains field, select verified domains for which this authentication method is available.
      Important:
      If you want to include all verified domains, you must select them all in the field - domain verification itself does not automatically enable this method of authentication.
    2. If the identity provider passes a user’s email address in other attribute than subject, switch the Use Attribute containing email address instead of Subject toggle on.
      Result: An IdP email attribute field appears.
    3. In the IdP email attribute field, enter the URL of the email attribute.
      Tip:
      You can find it in the XML file generated while registrating Synerise application in your identity provider portal or you can find it in the identity provider documentation.

Define permissions for users who authorize by identity provider

SAML-based SSO
The Just-in-Time provisioning section
  1. To defined a user’s permissions when they authenticate, in the Just-in-Time provisioning section:
    1. From the Update user roles on sign-in dropdown list, select the method of updating user roles (it’s useful in situations when user permissions are modified between log-ins both in Synerise and Identity Provider portal):
      Tip:
      Explanation of every option is available here.
      • Full sync
      • Add missing
      • No
    2. To enable unblocking Synerise users by Identity Provider authorization, switch the Unsuspend users toggle on.
      Result: If a user is blocked in Synerise, the Identity Provider authorization unblocks this user.
    3. Define how you want to assign user permissions for users authorizing by Identity Provider:
      Static role assignment

      To enable static role assignment (every user receives the same user permissions), from the Role dropdown list, select a Synerise user role.

      Dynamic role assignment

      1. To enable dynamic assignment of user permissions through SAML mapping, switch the Dynamic role assignment toggle on.
        Result: Three text fields appear.
        1. In the SAML Attribute name field, enter the URL of the identity provider’s group attribute.
          Tip:
          You can find it in the identity provider portal or you can find it in the identity provider documentation.
        2. In the SAML Attribute value field, enter the value of the attribute.
          Tip:
          You can find it in the identity provider portal or you can find it in the identity provider documentation.
        3. From the Role dropdown, select a user role for the attribute.
        4. To add more attributes and assign roles to them, click Add and repeat steps I-III.

Adjust SAML protocol settings

SAML-based SSO
The SAML protocol settings section
  1. To set up SAML-based single sign-on, the identity provider and service provider must establish trust with each other. To do this, in the SAML protocol settings section:
    1. In the Identity provider Entity ID field, enter the URL (you can find it in the Identity provider’s portal or in their documentation).
    2. In the SSO endpoint (https) and Identity provider application ID fields, provide data from the Identity provider portal.
      Tip: You can refer to the Identity provider’s documentation.
    3. The Service provider redirect URI field is filled in by default.
    4. From the Request binding dropdown list, select one method of exchanging authentication:
      • HTTP POST
      • HTTP REDIRECT
    5. To sign a request with SAML certificate, switch the toggle Request signature on (recommended).
    6. Omit the Request signature algorithm, Response signature verification, and Response signature algorithm fields.
    7. To add a certificate, you must:
      1. Open the XML file received during registering the Synerise app in Identity provider’s portal.
      2. Copy the certificate path.
      3. Paste it into a new file.
      4. Save the file.
      5. Upload the file to the IdP Signature Certificate field.
    8. To define the maximum and acceptable time discrepancy between issuing authorization and receiving it in Synerise, in the Max Clock Skew, define the time period.
  2. Confirm by clicking Apply.

Test SSO

After completing the setup, test the integration.

  1. If you are logged in to Synerise, log out.
  2. Go here.
  3. Enter your email address.
  4. Click Continue.
  5. Click the Sign in with Provider’s name (the text on the button depends on the value you entered in the Sign-in button label field.
    Result: You will be redirected to your Identity Provider’s service where you will be authenticated immediately if there is an active session or you will be asked to authenticate and as a result you’ll be redirected back to Synerise.

Congratulation! You signed in through your Identity Provider.

Note:
When the process works as expected, you can switch the Authentication Mode setting, so only the SSO authentication method is allowed, excluding the option of authorizing through email and password.

Troubleshooting

I can't authenticate through SSO

  • In the Synerise application, review the SAML setup for any typos or errors in the Just-In-Time provisioning configuration.
  • Check the SSO settings in your Identity Provider’s portal.

😕

We are sorry to hear that

Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.

😉

Awesome!

Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.