Security

See the following to learn about or perform security-related tasks:

Account: Configure two-factor authentication for a user account.

Organization: Administrator security settings for an organization.

Account

From the Settings > Security tab, all users can configure authentication for their account. They can disable authentication and just keep the default setting, which requires only a username and password. They can enable email or mobile authentication, as described in this section.

Enabling Email Two-factor Authentication

You can enable email two-factor authentication (2FA) for your account.

  1. Select Email from the Two-factor Authentication section.

  2. The next time you log in to the Automox console using your email address and password, you also need to enter the verification code that was sent to your email address.

  3. To disable this feature, click Disable from the same Security > Account page.

Enabling Mobile Two-factor Authentication

You can enable mobile two-factor authentication (2FA) using Google Authenticator, Authy, or other mobile app.

  1. Download a TFA mobile app such as Google Authenticator or Authy.

  2. Install the app and open it.

  3. From the Automox console, go to Settings > Security and select Mobile from the Two-factor Authentication section.

  4. From the Mobile Two-factor Authentication window, you must scan the QR code with your mobile device to pair it with the Automox console.

  5. Enter the code that appears. Depending on the mobile app you are using, you might need to enter a second code.

In the case of losing access to the mobile authentication method, contact the organization administrator to reset the user account.

Disabling Two-factor Authentication

To disable either email or mobile two-factor authentication, click Disable from the Security > Account page.

When two-factor authentication is enabled for the whole organization, you can switch between email and mobile authentication, but you cannot disable two-factor authentication.

Organization

An administrator can configure security settings for an entire organization.

Prerequisites: Only administrators have permission to configure the following organization settings:

Login Attempt Settings

You can set the number of login attempts to the Automox platform that a user can make within a time frame before the account is locked.

  1. Click Update to open the Login Attempts Configuration dialog box.

  2. You can set the following:

    a. Enter the maximum number of login attempts a user can make within a set time frame.

    b. Enter a time frame in minutes. If the user exceeds the allowed number of login attempts during this time frame, the account is locked.

  3. Click Update.

    In this example, the user can attempt to login 5 times within a time frame of 5 minutes. If the user exceeds the number of attempts within the 5-minute time frame, the account is locked.

For assistance, contact Automox Support (support@automox.com).

SAML-based Single Sign-on (SSO)

You can enable SAML-based single sign-on (SSO) for all of your Automox users.

Note: It is not possible have SAML and organization wide two-factor authentication enabled at the same time.

Security Assertion Markup Language (SAML) is a standard for exchanging authentication data between an identity provider and a service provider. With SAML, users can use corporate credentials at a single point of authentication. There are two types of authentication flows. Automox-to-IDP and IDP-to-Automox.

Automox-to-IDP

The Automox-to-IDP authentication flow allows users to provide their email address from the Automox console login page, and be redirected to their configured Identity Provider (IDP) for authentication before being redirected back to the Automox Console as the expected user.

For Automox-to-IDP, follow these steps:

  1. From the Settings > Security tab in your Automox console, go to the SAML tile.

  2. Click Enable. This will disable 2FA, if enabled.

  3. In the Setup SAML window, enter the following information that is provided by your Identity Provider: - Entity ID - x509 - Login URL

  4. Click Save Configuration.

IDP-to-Automox

The IDP-to-Automox authentication flow allows users to log into the Automox console directly from their IDP dashboard. This is a common flow in organizations that utilize more than one SSO-enabled service.

For IDP-to-Automox, follow these steps:

  1. From the Settings > Security tab in your Automox console, go to the SAML tile.

  2. Click Enable. This will disable 2FA, if enabled.

  3. In the Setup SAML window, click Toggle XML.

  4. Enter the XML Config information and click Save Configuration.

Enforce Organization-Wide Two-factor Authentication

To ensure all users in an organization are on the same level of security for compliance, an administrator can enforce two-factor authentication (2FA) for all users.

  • From the Settings > Security tab, go to Enforce Organization-Wide Two-factor Authentication and click Enable.

  • When 2FA is initially enforced for an organization, if a user that does not have 2FA enabled logs in with username and password, the user will be redirected to the verification code page with a message explaining 2FA has been enabled at an org level. The user is instructed to check the associated email account for the verification code.

  • A user can switch to mobile authentication, if desired, from the Settings > Security > Accounts section. This is described in Enabling Mobile Two-factor Authentication. At this time it is not possible for an administrator to enforce mobile 2FA.

  • When an administrator resets 2FA for a user account (Resetting a User Account), this always resets it back to verification by email.

Refer also to User Accounts for details about enabling and disabling 2FA for user accounts.

Automox Okta Single Sign-on (SSO) Integration

You can configure single sign-on through Okta for all of your Automox users.

Automox integrates with Okta Identity Management through a series of simple steps. Automox also has a pending application available on the Okta app marketplace. This supports both service provider (SP) and identity provider (IDP) initiated sign on. Users can either click the Automox app on their Okta dashboard to sign in, or simply provide their email address on the sign in page to be redirected to Okta for authentication.

Initial Setup

To set up Okta, you need the following information from Automox:

  • Your unique ACS URL

  • Entity ID

Prerequisites

Administrative privileges required.

  1. From the Settings > Security tab in your Automox console, click Enable on the SAML option.

  2. This will load a window with the required ACS URL and Entity ID.

Keep this information in a tab for use during the Okta configuration.

Okta Configuration

As an Okta administrator, you can set up an integration to Automox following the normal Okta app creation steps.

  1. Within the Okta Admin panel, select Applications > Add Application.

  2. Search for "Automox". If the application is not available, click Create New App.

  3. From the Platform menu, select Web.

  4. For the sign on method, select SAML 2.0.

  5. On the General Settings window, enter a name for the app. (Optional) You can right-click and save the following Automox logo and upload it.

  6. For the SAML Settings window, you will need the ACS URL and Entity ID from the Automox console.

    a. Paste the Customer ID (Org ID) into the Single sign-on URL field.

    b. Select the check box for Use this for Recipient URL and Destination URL.

    c. Paste the Entity ID into the Audience URI (SP Entity ID) field.

    d. The Name ID format should be Unspecified and the Application username Okta username.

  7. Automox supports custom attributes for first name and last name. To set these configurations, add an extra row in the Attribute Statements. The first row should include firstName in both fields, while the second row should include lastName in both fields. NOTE: In order to edit the attribute statements after initial setup, from the Okta developer dashboard, click Applications. Select the Automox Application and from the General tab click Edit on the SAML Settings section. Click Next and scroll down the page to find the Attribute Statements.

  8. From this page, you can download the Okta certificate that can be used to configure your application.

  9. After you finish the configuration, go to the application's settings page.

  10. There are two options available for configuring the integration.

    a. From the Sign On tab, click View Setup Instructions, which will open in a separate tab. From here, you can copy and paste the details required for Automox.

    b. Download the Okta certificate and import the XML file to Automox.

Automox Configuration

Follow these instructions for the Automox console configuration.

You will need the information from the View Setup Instructions tab to complete this section.

  1. From the Settings > Security tab in your Automox console, click Enable on the SAML option.

  2. In the Setup SAML window, paste the metadata based on the following mapping:

    • Okta Identity Provider Single Sign-On URL = Login URL

    • Okta Identity Provider Issuer = Entity ID

    • Okta X.509 Certificate = x.509

  3. (Optional) You can provide a Logout URL that redirects users to a selected URL after logout. This is often a link to your internal Okta dashboard.

  4. Automox also supports auto-provisioning for new users. If enabled, users can be added to the Automox app in Okta, and will have licenses created for them in Automox as they attempt first login. When SAML is enabled, inviting new users to Automox is restricted to provisioning. This configuration is highly recommended.

  5. Click Save to enable SAML.

  6. Add all required users to the Automox app in Okta to complete your setup.

Related Topic: