1. Help center
  2. Solution settings

Authentication: which method to choose (SAML/MFA) and how to configure them?

When setting up your environment, you can choose a SAML or MFA authentication method. This article details the ins and outs of these methods.

Summary

1. MFA / SAML why should you choose?

2. Which MFA solution to choose?

3. How do I set up my SAML authentification ?

4. How to update my SAML authentification ?

1. MFA / SAML why should you choose?

🔎 If you select the SAML method, the MFA field will not be available.

Indeed, MFA, 2FA or Strong Authentication, consists of supplementing the traditional password with a code generated by a smartphone application.

With the implementation of SAML, authentication is completely managed by your identity provider (AzureAD, ADFS, Google, OKTA, etc.) following the principle of identity federation.

In this configuration, authentication is completely remote. It is therefore not possible to overload this authentication which is beyond the scope of responsibility.

2. Which MFA solution to choose?

You can use the MFA solution of your choice: Microsoft Authenticator, OKTA, etc.

3. How do I set up my SAML authentification ?

📝 Prior information

  • Tenacy offers SAMLv2 natively and on all offers.
  • Tenacy supports multi-directory SAML to manage your accounts, those of your subsidiaries, suppliers, etc.
  • Tenacy supports SAML in Service Provider Initiated onl
  • Tenacy does not support automatic provisioning (the existing account must be existing in the solution)
  • Tenacy does not allow the management of authorizations to be processed (only identity elements are processed).

⚙️ Setup

Configuration is carried out in the toothed wheel menu ⚙️in the Authentication menu.

You can add a configuration and fill in the URL metadata field.

You will find all the information for setting up the SAML configuration in the contextual help on the “Authentication” page.

 

 

4. How to update my SAML authentification ?

4.1 Keep my existing configuration and create a new one next to it

Here it is a question of creating a 2nd authentication configuration with the information of the new certificate that will take over from the 1st configuration.

⚠️ You only associate your account with the new configuration to check if it is already functional.⚠️

Once the verification is done, you log out and try to log in again.

If the new certificate is already working (successful login) you can:

  • assign it to all (otherwise you will have to wait until the end of the 1st certificate)
  • Change the certificate information directly in the first configuration, avoiding the need to reassign users.

With this solution, remember to open the knowledge base to keep access to the chat if you can not reconnect. So the support can intervene to put you back on the right configuration to connect you again.

4.2  Wait for my current configuration to expire


You can also wait until your current certificate expires and remember to change the information in your configuration.
No later than the day before the expiry of the existing configuration. 

To perform the manipulation we advise you to go through password authentication a few days before the end of the certificate validity period of your configuration to update the necessary information.