The article covers the following topics:
Overview
We’ve added a 2-Step Verification authentication option so that Pipeliner Subscription Administrators can choose to enhance the security around logging in to Pipeliner by ensuring users need to enter a verification code in addition to their username and password. Users can also choose to enable this option for themselves in their Account Settings.
We’ve also enabled new options for Single Sign-On using OIDC via Microsoft or Google accounts.
Definitions
Multi-factor authentication (MFA; encompassing authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data from being accessed by an unauthorised third party that may have been able to discover, for example, a single password.
OpenID Connect (OIDC) was designed with web and mobile applications in mind. Designed to be easy to adopt and use, OIDC is an extension of OAuth2, with data structures in JSON format (JWT), and simple HTTPS flows for transport. User identity data (“claims”) are issued in a JSON web token (ID Token). The claims will include a persistent identifier and user data defined by the requested scopes. Conventionally, this token is digitally signed, and may also be encrypted where required.
How to access the Sign In Tab
Subscription Admins need to login to customer-portal.pipelinersales.com and then click on the "Sign In" tab ⤵
Enabling 2-Step Verification
From the "Pipeliner Login" tab, click on the toggle switch to enable 2-Step Verification for all Pipeliner users ⤵
You can now select which of the three main supported authentication methods you want your users to be required to use each time they log in to Pipeliner:
Email Message › users will receive an email with a verification code that they will need to enter into the verification screen when logging in.
Text Message (SMS) › users will receive an SMS with a verification code that they will need to enter into the verification screen when logging in.
Authenticator App › users will need to install a preferred Authenticator app for Android/iOS application onto their phone. The authenticator app will generate a Pipeliner application verification code that they’ll need to enter into the verification screen when logging in.
Click on “Save” when you’ve made your choices ⤵
You’ll be reminded that all users will now need to re-login. Click on “Confirm” to continue ⤵
All users, including yourself if you are also a user of Pipeliner, will be prompted to re-login ⤵
When users have entered their login details, they’ll now be presented with the 2-Step Verification prompt ⤵
Selecting “Click to Set Up” will then ask them to re-enter their username and password and Sign In and will then send a verification code to their user email address ⤵
↓
They’ll be prompted to enter this code before they can log in. Each time they log in to Pipeliner they will be presented with the 2-Step Verification screen (unless they trust the specific device) ⤵
Enabling Single Sign-On
Subscription Administrators can choose to enable a single sign-on method using OIDC using either Microsoft or Google accounts ⤵
or, for Active Directory users, by enabling a customer SSO SAML IDP. More information about enabling the SAML IDP can be found in this article ⤵
Once a "Single Sign On" option has been selected, click on “Save”.
You’ll then be reminded that you’re changing the login method for all users and that everyone will need to re-login. Click on “Continue” to apply ⤵
When each user logs in again, they will be informed that additional authentication is required and will then be prompted to make the new authorization their default. This is setting their primary IDP to the selected authentication ⤵
From then on, they’ll be able to log in only by clicking on the "Sign in with Microsoft" or "Sign in with Google" options or their AD credentials (depending on which option you chose).
IMPORTANT NOTE: in order for the MS O365 login to work with Pipeliner when the O365 login address is different, you'll need to ensure in the O365 AD that the “User Principal Name” is set to the same email address as in the corresponding Pipeliner User profile and that the domain is verified by MS.