1. Satuit Technologies Learning Center
  2. Knowledge Base
  3. System Administrator

Login Rules, Two-Step Authentication, and more.. - System Admin

Login Rules

Password Rules: A strong, effective password requires a necessary degree of complexity. Three factors can help users to develop this complexity: length, width & depth.

  • Length – Probability dictates that the longer a password is, the more difficult it is to crack. Simply put, longer is better. It is generally recommended that passwords be between six and nine characters long. Greater length is acceptable, and shorter passwords should be avoided
  • Width – Width is a way of describing the different types of characters that are used. Don’t just consider the alphabet. There are also numbers and special characters like ‘%.' As a general rule, the following character sets should all be included in every password: Numerals such as 1, 2, 3. Special characters such as $, ?, &
  • Depth – Depth refers to choosing a password with a challenging meaning or something not easily guessable. Stop thinking in terms of passwords and start thinking in terms of phrases. “A good password is easy to remember, but hard to guess"

Password Rules Configurations

The password configurations below can be set by the System Administrator. The default values are in parenthesis.

  • Session Time Out (90 minutes) – This is the number of minutes that Satuit will keep an inactive session open before automatically logging off. The limitations on the password time outs can be between 10 minutes and 500 minutes
  • Characters Max (30 characters) – This is the maximum number of characters in a password. This value should be between 4 and 30 characters
  • Characters Min (4 characters) – All passwords should contain at least 4 characters. Min Characters cannot be negative or more than the Max Characters set above
  • Numerals Max (30 numerals) – This is the maximum number of numbers that can be in a password. This value should be between 4 and 30 numerals
  • Numerals Min (4) – This is the minimum number of numbers that can be in a password and cannot be negative or more than 30. Min Numerals should be less than Max Numerals
  • Special Characters Max (30) – This is the maximum number of special characters that can be in a password. This value should be between 0 and 30 characters
  • Special Characters Min (0) – This is the minimum number of special characters that can be in a password. This value should be less than the Special Characters Max number and cannot be negative
  • Expiration Days (180 days) – This is the number of days before a password expiring and should be between 30 and 180 days
  • Grace Period (0 days) – This is the number of days that a user ID and password will remain active after the password has expired. This value should be within 0 and 10 days
  • Count Down (15 days) – This is the number of days before a password expiring that Satuit will remind the user to change their password when they log in. The value of the countdown should between 0 and 15 days
  • Recycle Limit (2 times) – The Recycle Limit is the number of times a password needs to be changed before it can be reused. This should be within 0 and 20 times
  • Failed Attempt Max (3 times) – This is the number of times that a user may attempt to login with an incorrect password before getting locked out. The maximum number of failed attempts should be within 1 and 3
  • Lockout Minutes (10 minutes) – This is the number of minutes that Satuit will lock a login after the number of failed attempts has reached the maximum number above. This lockout time should be within 10 and 30 minutes. Alternatively, if “0” is entered, access for a REP who locks themselves out would need to be reset by a System Admin
  • Disable Password Saving – By selecting this checkbox the option within your browser to save passwords is disabled

Two-Step Verification

Note

System Administrators will need to enable this feature.

SatuitCRM and SatuitSIP use a two-step Authenticator which is a software token that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP) and HMAC-based One-time Password Algorithm (HOTP), for authenticating users.

blobid2.png

blobid3.png

Have users download an Authenticator app from their app store or as a Chrome add-in. Once they have the app downloaded and they try to log into Satuit they will receive the following they will need to scan the QR code or enter the code manually.

blobid1.png

Upon entering the code, they will be logged in to Satuit. Each time after when they go to log in they will need to pull up the app on their phone and enter the code that is displayed.

blobid0.png

Two-Step Authentication For Trusted IP Address

We allow you to list trusted IP addresses within our two-step Authentication settings. If two-step authentication is enabled, users accessing the CRM from a trusted IP address will not be subjected to additional security authentication measures.

Attention

All users are required to set up their authenticator before being granted Trusted IP access to Satuit.

Setting-Up Two-Step Authentication

Once enabled, all users will be required to set up their authenticator whether they are located within a Trusted IP or not. Upon completion, users accessing from a listed IP address will not be subjected to two-step verification.

  1. Click on Tools, then select System Administrator
  2. Expand Security and then select Login Rules
  3. Enable 2 two-step authentication
  4. Input Trusted IP addresses

Active Directory / Single Sign On (SSO) Integration

The Satuit Platform integrates with Active Directory/SSO applications. Security Assertion Markup Language (SAML) is an open standard markup language that is used by Identity Providers to allow the passing of authorization credentials to service providers. Satuit's family of products allows for SAML-based authorization from any Identity Provider with a SAML 2.0 solution.

Contact your Satuit Representative for more details.

SAML Setup

Before setting up SAML-based authorization for Satuit products, you will need to contact the Satuit Client Success Team to subscribe to the SAML support and enable the configurator. Once access is granted, your system administrator with the security role can configure SAML authorization via the System Administrator panel, under Security → Login Rules.

Warning

If on the Login Rules page, you see the following, then you are not yet authorized to configure SAML for your site and must contact Satuit Technologies, support@satuit.com, to enable the feature.
1.png

Preparing Rep Records for SAML

The recommended way to use SAML authorization is to use the rep’s email address for authentication. You need to make sure the reps’ email addresses in your Satuit installation match the authentication credentials stored with your Identity Provider.

MAKE CERTAIN AT LEAST ONE REP WITH ADMINISTRATOR PRIVILEGES IS PROPERLY SET UP BEFORE ATTEMPTING TO TURN ON SAML.

Configuring Satuit for SAML Authentication

  1. On the Login Rules page, find the SAML SINGLE SIGN-ON
  2. Locate the SAML Identity Provider Metadata file saved within your environment. To learn how to obtain the Metadata file, please consult your Identity Provider’s documentation
  3. Upload the Metadata file to Satuit via the Browse feature provider

mceclip1.png

  • Once you’ve uploaded your Metadata file, click SAVE
  • Once saved, the Metadata file is validated by Satuit. If you receive an error, then the uploaded Metadata file is not in an expected format
  • If the Metadata file is valid, then the Current Identity Provider field will be completed on the Login Rules page. For illustration purposes, we are showing Satuit being configured to use Google’s GSuite SAML integration:

3.png

  • You may now click the Enable SAML SSO checkbox and save the configuration:

mceclip0.png

You will now see the ACS URL and Entity ID that you will need to enter in your identity provider configuration. Make sure to enter these exactly as shown as they are case-sensitive.

Upon logging out of Satuit, your sign-in attempts will be directed through your Identity Provider for authentication.

If the user is not authorized via the Identity Provider to use Satuit, the access attempt will be rejected.

If the user’s browser session doesn’t have an active session or cookie with the Identity Provider, the rep will first be redirected to the Identity Provider to log in, and then forwarded to Satuit.

The Satuit Outlook Add-In will still use the user’s password for authentication. When a Satuit site is SAML enabled, the rep’s User Preference window will change. In Change Password, the Old Password field will be removed. Note that if the user has the Outlook Add-In set to open the detail form in Satuit after adding an item, the user will be authenticated using SAML before the form is displayed.

Mobile Additional Authentication

Additional authentication has been added for Satuit2GO. This has been added to ensure organizational security standards are extended to mobile access. The additional authentication can be implemented via either:

  • 2 Factor Authentication
  • SAML Single Sign-On

SSO FAQ

How to Set up ADFS server SSP Federation with Satuit?

  • Select "Enter data about the relying party manually"

mceclip0.png

Q. Can we test out the transition from default login to SSO enabled login in a test site first?

A. Yes, it is possible to use your test site to try out the SSO functionality before enabling it in your production environment. Please contact the Satuit Client Success team at support@satuit.com to have it enabled on your existing test site or to request information on setting up a new test site.

Q. When SSO is enabled, will existing default logins stop working?

A. Yes, default logins will not work once SSO is enabled. Once SSO is disabled, the default logins will begin to work once again.

Q. After enabling SSO can we migrate user by user?

A. No, your entire user database will need to be set up with your SSO provider before enabling within Satuit.

Q. How do I link our current user base to our Active Directory?

A. The recommended way to use SAML authorization is to use the rep’s email address for authentication. You need to make sure the reps’ email addresses in your Satuit installation match the authentication credentials stored within your Active Directory. If the reps' emails match your Active Directory, then they will be granted access. If it does not, then they will not be able to access Satuit.

Q. Who will be able to log in to Satuit once SSO is enabled?

A. Only users already in Satuit with matching email addresses to your Active Directory will be able to sign in.

Q. What is the process to add a new user to Satuit once SSO is enabled?

A. Add the user and email address to your Active Directory. Then add the user to Satuit and double-check the email in Satuit matches your Active Directory.

Q. How will Satuit2Go be affected by SSO?

A. The Satuit2Go login page will properly direct your users to your Identity Provider when SSO is enabled.

Q. How will SSO affect the Satuit Outlook Add-In and PAC Utility?

A. Both downloads will require the rep's current Satuit password even after SSO is enabled.

Q. How do I disable a user's access to Satuit with SSO enabled?

A. When you no longer want a user to have access to your site, you must disable them within the system administrator.

Q. Using OKTA I am constantly being asked to log into the Outlook Add-In

A. OKTA made a change in July 2022 to the user settings, users may need to allow persistent cookies to avoid this scenario. More information can be found here:
https://help.okta.com/en-us/Content/Topics/ReleaseNotes/production.htm#Generall-2208 

Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more