Overview
Pipeliner Subscription Administrators can choose to enhance the security around logging in to Pipeliner by ensuring users need to enter a verification code in addition to their username and password by enabling 2-Step Verification and can, if required, make this mandatory for all users. Users can also choose to enable this option for themselves in their Account Settings.
Additionally, we've introduced functionality to restrict access to Pipeliner applications based on IP addresses (Whitelisting) and enforce stricter Auto Logout policies (Idle, Absolute, and Daily timeouts).
There are also options for Single Sign-On using OIDC via Microsoft or Google accounts.
These features apply to both the web app and the Mobile app.
Definitions
Multi-factor authentication (MFA; encompassing authentication, or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data from being accessed by an unauthorised third party that may have been able to discover, for example, a single password.
OpenID Connect (OIDC) was designed with web and mobile applications in mind. Designed to be easy to adopt and use, OIDC is an extension of OAuth2, with data structures in JSON format (JWT), and simple HTTPS flows for transport. User identity data (“claims”) are issued in a JSON web token (ID Token). The claims will include a persistent identifier and user data defined by the requested scopes. Conventionally, this token is digitally signed, and may also be encrypted where required.
How to access the Sign In Tab
Subscription Admins need to login to customer-portal.pipelinersales.com and then click on the "Sign In" tab ⤵
NOTE: not all Pipeliner "Admin" users will also be Subscription Administrators - see this article for more information.
Enable QR Code Sign in for Mobile app
A setting has been added to the Customer Portal under Sign In > Pipeliner Login to “Enable QR Code Sign In for Mobile app”. When ON: The users can generate new QR Codes in their user profile settings.
NOTE: turning this toggle OFF will not sign out users who are already logged in via QR Codes but will not allow them to generate new ones
Mobile App: 3rd-Party SSO Flow (Android)
For 3rd-party identity provider (IDP) authentication, the login page will now open in the device's default system browser instead of an in-app view. This change ensures the URL is visible to the user for security verification ⤵
Mobile App: Main Sign-in Screen
A new button has been added to the sign in screen, which navigates the user to the new "Sign In with QR Code" screen ⤵
This screen opens a QR Code Scanner within the app and successfully scanning a valid Pipeliner Sign In QR Code will automatically sign the user into the mobile app.
Note that if a user is a member of spaces under multiple subscriptions, where some have QR Code login enabled and others do not, the user will need to re-verify using a different method when switching between those spaces.
User Profile > Security Settings
A new section named Mobile Sign In was added under the "Password" section which includes a Show QR Code button which opens the QR Code generation window. This area lists all mobile devices that have logged in to the user’s account using a QR Code. Each logged in device will show
Mobile OS icon
Device model name
Timestamp of the QR code sign-in
Each device in the list will have a Sign out button that will sign the user out of the Pipeliner mobile app on that specific mobile device.
NOTE: if the QR Code login is disabled in Customer Portal, the button will be disabled.
Web App: 'QR CODE SIGN IN' Window
A unique, one-time-use QR code will be generated and displayed for 60 seconds. The user will need to scan this code within the Pipeliner Mobile App to log in on the app ⤵
After the QR code is successfully scanned by a mobile device, the QR code image in the window is replaced with a green checkmark icon indicating the log in was successful ⤵
When Pipeliner detects a new sign-in using a QR code, the system will send an email notification to the user ⤵
Customer Portal Admin Settings
A new setting has been added to the Customer Portal under Sign In > Pipeliner Login to “Enable QR Code Sign In for Mobile app”. When ON: The users can generate new QR Codes in their user profile settings.
NOTE: turning this toggle OFF will not sign out users who are already logged in via QR Codes but will not allow them to generate new ones ⤵
Enabling 2-Step Verification
From the "Pipeliner Login" tab, click on the toggle switch to enable 2-Step Verification for all Pipeliner users ⤵
You can now select which of the three main supported authentication methods you want your users to be required to use each time they log in to Pipeliner:
Email Message › users will receive an email with a verification code that they will need to enter into the verification screen when logging in.
Text Message (SMS) › users will receive an SMS with a verification code that they will need to enter into the verification screen when logging in.
Authenticator App › users will need to install a preferred Authenticator app for Android/iOS application onto their phone. The authenticator app will generate a Pipeliner application verification code that they’ll need to enter into the verification screen when logging in.
Click on “Save” when you’ve made your choices ⤵
You’ll be reminded that all users will now need to re-login. Click on “Confirm” to continue ⤵
All users, including yourself if you are also a user of Pipeliner, will be prompted to re-login ⤵
When users have entered their login details, they’ll now be presented with the 2-Step Verification prompt ⤵
Selecting “Click to Set Up” will then ask them to re-enter their username and password and Sign In and will then send a verification code to their user email address ⤵
↓
They’ll be prompted to enter this code before they can log in. Each time they log in to Pipeliner they will be presented with the 2-Step Verification screen (unless they trust the specific device) ⤵
Advanced Settings
A new section titled Advanced Setting has been added to the Pipeliner Login tab. This section contains four primary configuration areas: Auto Logout, Require 2-step verification, IP Whitelist, and Exempt Users ⤵
Auto Logout Configuration
Use these settings to automatically logout your users based on the conditions you select ⤵
Idle timeout: Checkbox option to log out users after a specific period of inactivity (browser closed/no backend requests).
Input: Hours and Minutes.
Default value: 30 minutes.
Default state: Unchecked.
Absolute timeout: Checkbox option to log out users automatically after a set duration since their last login.
Input: Hours and Minutes.
Default value: 8 hours.
Default state: Unchecked.
Daily logout time: Checkbox option to log out users at a specific time of day.
Input: Time picker (HH:MM).
Default value: 18:00.
Default state: Unchecked.
Require 2-step verification (2FA)
This is a global toggle setting: "Require 2-step verification (2FA) for every login." When enabled, all users in all spaces within the subscription are forced to use 2FA on every login ⤵
The default state is Disabled.
IP Whitelist Configuration
When enabled, all users of all spaces within the subscription can only log in from IP addresses or ranges defined in the list ⤵
IPs must be provided in CIDR format (e.g., 192.168.1.1/32 or 192.168.1.1/24).
Supports both IPv4 and IPv6.
Single IP addresses entered without a suffix are automatically converted to CIDR /32 format.
UI Components:
Search component with chips (similar to the "To" field in Email Editor).
Display of current user's IP: "Your IP address: [IP_ADDRESS]".
"Add to list" button to quickly whitelist the current IP.
Validation Logic:
Self-Lockout Prevention: To save the settings, the administrator's current IP address must be included in the whitelist. A validation error "To save this setting, your current IP address must be included in this whitelist" is displayed if missing.
Format validation: "One or more IP addresses are in the wrong format".
Access Rules & Logic
Implicit Whitelists (Not Restricted):
"Our users" (internal Pipeliner users, except registered ones).
All Integrations.
All AI tools, agents, and lambdas.
Restricted Entities:
API Applications (custom API accesses).
Standard Users.
File URLs must also respect these rules.
Exempt Users
Functionality: Allows specific users to bypass location or IP address restrictions.
Component: Uses the standard user search component (same as Email Editor).
Deleted Users: Must be highlighted with a suffix in the list.
In-App System Messages
New error screens and messages handle the various denial and logout states mandated by the new security settings.
Access Denied Screen - CRM
This message is displayed when a logged-in user's IP is no longer on the whitelist (e.g., settings changed during session).
Access denied Screen
Auto Logout Screens
Switch Screen Updates
The space selection screen has been updated to visually indicate spaces that are inaccessible due to IP restrictions. Spaces with an active IP whitelist that excludes the current user will display a banner labeled "Access Restricted".
Clicking on a restricted space triggers a message ⤵
Mobile Support
The mobile application fully supports the new advanced settings to maintain feature parity and security compliance.
Mobile Error Codes:
Access Restricted: Error Code 421.
Signed out (System default): Error Code 401.
Signed out (Forced/Policy): Error Code 425.
Enabling Single Sign-On
Subscription Administrators can choose to enable a single sign-on method using OIDC using either Microsoft or Google accounts ⤵
or, for Active Directory users, by enabling a customer SSO SAML IDP. More information about enabling the SAML IDP can be found in this article ⤵
Once a "Single Sign On" option has been selected, click on “Save”.
You’ll then be reminded that you’re changing the login method for all users and that everyone will need to re-login. Click on “Continue” to apply ⤵
When each user logs in again, they will be informed that additional authentication is required and will then be prompted to make the new authorization their default. This is setting their primary IDP to the selected authentication ⤵
From then on, they’ll be able to log in only by clicking on the "Sign in with Microsoft" or "Sign in with Google" options or their AD credentials (depending on which option you chose).
IMPORTANT NOTE: in order for the MS O365 login to work with Pipeliner when the O365 login address is different, you'll need to ensure in the O365 AD that the “User Principal Name” is set to the same email address as in the corresponding Pipeliner User profile and that the domain is verified by MS.