Single Sign-On (SSO)

Client Portal / Single Sign-On (SSO) Accessing SSO Settings in the Client Portal

To access SSO Settings in the Client Portal:

  1. On the left-hand side, click the username and select Single Sign On Settings
  2. Client’s can view the following sections in their SSO Settings:
    • Basic Information: contains the email address, display name, first and last name, time zone, and locale.
    • Security: users can enter a new password and enable Multi-Factor Authentication (MFA).

Single Sign-On (SSO) Email Alias Workaround

If an email address is being utilized by another client, employee, or test account:

  1. Use an alias email for each account, such as parentemail+clientsfirstname@email.com.
  2. You will receive a notification that an email verification link has been sent to the alias email address.
  3. Open the email and click Confirm.

Single Sign-On (SSO) Enabling and Disabling Multi-Factor Authentication (MFA) by Organization

Single Sign On (SSO) provides the option to add Multi-Factor Authentication (MFA) to CentralReach accounts. MFA adds an extra layer of security by requiring an authenticator application or access to an email address prior to signing in.

Organizations can enable MFA for the entire organization or per user. If an organization does not require MFA, users can enable it individually.

Organizations can enable MFA:

  1. In CentralReach, navigate to the organization’s username in the upper right-hand corner and select Single Sign On Settings
  2. Click the Security Settings subsection under the “Organization Profile” section
  3. Select the Require Multi-Factor Authentication toggle to turn it blue
  4. Click SAVE. All users in the organization will have MFA enabled.

Organizations can opt certain users out of MFA:

  1. In CentralReach, navigate to the organization’s username in the upper right-hand corner and select Single Sign On Settings
  2. Under “Organization Settings,” select the Manage Users section
  3. Search for a user in the “Find users…” search bar
  4. After selecting a user, their “User Security” section will display. Select OPT OUT OF MULTI-FACTOR AUTHENTICATION. That user will not have MFA enabled in their CentralReach account.

Organizations can disable MFA:

  1. In CentralReach, navigate to the organization’s username in the upper right-hand corner and select Single Sign On Settings
  2. Click the Security Settings subsection under the “Organization Profile” section
  3. Select the Require Multi-Factor Authentication toggle to turn it grey
  4. Click SAVE. All users in the organization will have MFA disabled.

Other / Single Sign-On (SSO) Known Issues and Alternative Workflows

Release 7.7.1

User is seeing a “No application found” error message. 

If this error message is displayed:

  • For employee accounts:
    • Users need to sign in with their previous username and password. If users forgot their previous password they should complete the “Forgot Password/ First Time User?” workflow.
  • If this is an organization account, please submit a case in CR Community to CentralReach support, so we can investigate and correct the issue.
  • If you are still experiencing this issue, have an admin remove access and grant access again. Then, try to log in.

User is seeing error message “Exp is in the past,” “iat is in the future,” or “Device clock is out of sync with the network. Please log out, correct your time and log back in”

The following are common issues and solutions.

Users are not receiving SSO verification emails and cannot validate their accounts to log in

If users are experiencing this issue:

  1. Look for the email in spam folders, junk folders, and other folders you may have within your inbox email server.
  2. If using Outlook, try using both the app and browser version of Outlook to find the email from CentralReach SSO. 
  3. The email may be blocked on your end, for which the organization needs to reach out to their IT team to whitelist “no-reply@centralreach.com”.
  4. If this does not work, please try with a different email address in the meantime AND submit a case in CR Community to CentralReach support so we can investigate and correct the issue. 
  5. Try submitting the old username for a password reset. In some situations, the old username is still the SSO username and must be used to login. 

User seeing “Email in use by another user” 

  • The organization account needs to check the emails being utilized by their users via the Contacts module. Ensure the email is not used by another employee, client, or test account. If it is used by another account, use the email alias workaround.

User is linked to an inactive CR Account

  1. If the inactive contact account the user is linked to is within the same organization they currently work for, the user must contact their organization Admin.
  2. The organization Admin needs to search for the user and identify the inactive contact in the Contacts module.
    • Search for and select the inactive profile in the Contacts module 
    • Navigate to their Profile > select Basics > select Make Generic > then Make Active.
      • Please note, if the profile is already a Generic, there is no need to make an Employee, just continue to ‘’Make Active’.
    • In “Linked to email” > Remove Access from the profile.
    • In their Profile > select Basics, select Make Inactive > then Make Employee and choose Convert without a form.
      • Please note, if the profile is already a Generic, there is no need to make an Employee, just continue to “Make Inactive.”
    • The active profile will then proceed with the SSO verification.
  3. If the user is linked to an organization they no longer work for, the user will need to contact CentralReach support for assistance in order to get their accounts linked to the correct organization.

End-clients with multiple learners workflow

If your end clients have more than 1 learner receiving services, here are two workflows they could follow to access their Client Portal accounts. 

  • Option 1: Families with more than one client receiving services can use/create different email addresses for each client. The primary email address being verified and stored in the client profile would be unique. 
    • Ex: firstname.lastname@gmail.com  For Child 1 profile
    • Ex: firstname.lastname@hotmail.com  For Child 2 profile
  • Option 2: Families who have more than one client receiving services can create an email alias for each client. The primary email address being verified and then stored in the client profile should be the alias. The alias can be anything: 
    • Ex: firstname.lastname+child1@gmail.com
    • Ex: firstname.lastname+child2@gmail.com 
      • Please note, some Email Service Providers do not allow aliases.
  • Overall, think of the multiple email addresses in the same way we had different, unique usernames for each client. 

Unable to reset password: I am not getting the email

  1. Look for the email in spam folders, junk folders, and other folders the user may have within their inbox email server.
  2. If using Outlook, try using both the app and browser version of Outlook to find the email from CentralReach SSO.
  3. The email may be blocked on your end, for which the organization needs to reach out to their IT team to whitelist “no-reply@centralreach.com”.
  4. If this does not work, please try with a different email address in the meantime AND submit a case in CR Community to CentralReach support so we can investigate and correct the issue. 
  5. Please have the customer submit a support case in CR Community.

Users with multiple instances cannot log into all of their instances, EVEN IF NAME/DOB IS THE SAME

  1. Reverify that the name and date of birth on all accounts are the same and follow this process.
  2. Remove access and convert the user under each of the accounts that need to be linked:
    • Navigate to the Basics section of their Profile and select Remove Access.
    • Click Convert to User
    • The user should now receive the email to complete the validation process and log in using the same email address.
  3. If this does not work, please submit a case in CR Community to CentralReach support so we can investigate and correct the issue.

User being logged out

  • CentralReach removed timeouts of 180 and 240 minutes, and only allow a maximum of 120 minutes for timeouts. This is for security reasons. Any account that had 180 and 240 minutes before SSO as their logout time, have been defaulted to 15 minutes. The organization can update their logout timer to another value, as they see fit.
  • If the issue persists, create a support case in CR Community.

Users are seeing ‘unauthorized’ message when logging in

  • Open a Community Case with the User ID, Org ID, and SSO email for the Support team, and CentralReach will keep track of all tickets pertaining to the issue.

User seeing “invalid email format” error

  • Check to ensure that there are NO EXTRA SPACES before or after the email in the user’s Profile in CentralReach.
User is unable to “Convert to User” on the Basics Profile, as the option is grayed out
  • DOB is likely missing on the user’s profile. Please input the Date of Birth.

If an organization has the same email for the ORG and for a Client

  1. Have someone else with admin permission to the client, do the following: 
    • Client > Basics > “Remove Access”
    • Then, change the client’s Primary Email.
  2. Logout and click Forgot Password. Enter the old organization username and follow the reset password workflow.
  3. If this does not work, please create a support ticket.

Single Sign-On (SSO) Linking Accounts with SSO

All user types (Clients, Employees, and Generics) utilizing the same email address to access different accounts in CentralReach should follow the process below. Please note, clients cannot link their CentralReach account with another client user account in the same organization.

  1. After one user logs into their CentralReach account and validates the email address, the user will not receive the verification email when using the same email to validate themself on their remaining CentralReach accounts, in order to link them. 
  2. The user needs to contact the organization’s admin to link their remaining CentralReach accounts.
  3. The admin needs to log into the CentralReach organization account and navigate to the Contacts module. Select the user(s) that have not received the email to validate their account.
  4. Navigate to the Basics section of their Profile and select Remove Access.
  5. Click Convert to User. The user should now receive the email to complete the validation process and log in using the same email address. 
    • Please note, the user must have the same DOB in their Profile in order for the accounts to be linked.

If the user is the owner of two or more organization accounts that need to be linked using the same email address, please contact CentralReach support to assist in linking the accounts.

Single Sign-On (SSO) Logging into CentralReach with SSO

To log in using Single Sign On (SSO):

  1. Navigate to login.centralreach.com
  2. Enter your username and password, and click LOG IN
  3. Your email address will need to be validated:
    • In the “Email Validation Required” screen, review the email address and click SEND CONFIRMATION EMAIL.
    • A validation email will be sent. Confirm the email address, which will then become your username.
    • Return to the login screen and log in with your new username and password.
  4. If Multi-Factor Authentication (MFA) is disabled, users will be directed to their CentralReach account. 
  5. If MFA is enabled:
    • Select either Authenticator App or Send email in the “Multi-Factor Authentication” screen.
      • If “Authenticator App” was selected, scan the QR code on a mobile device and enter the 6 digit verification code.
        • Click Verify Device
      • If “Send email” was selected, click Select Provider
  6. Users will be directed to their CentralReach account.

CR Mobile / Single Sign-On (SSO) Logging into CR Mobile Before Validating an Email Address

For all users that did not validate their email address in CentralReach prior to signing into CR Mobile, the login process is:

  1. When connected to the Internet, open CR Mobile and click LOGIN
  2. Enter your username and password
  3. An email will be sent for the user to validate. Click Confirm in the email. 
  4. Return to CR Mobile and enter your email address and password
  5. Click Login
  6. If MFA is enabled:
    • Using an authenticator application, open the application to receive a code.
    • Using email, a code will be sent.
  7. Set up a 6 digit PIN code
  8. Users will be prompted to enter a 6 digit PIN code. Enter a PIN code and click Continue
    • If users forget their PIN code, click here.
  9. Enable Touch ID or Face ID (optional and depends on the device’s capabilities)
  10. After logging in, the default screen is the appointment screen, which shows all of the provider’s scheduled appointments.

Users will not have to validate their email address and password for one month, unless logging out of the application.

  • Biometrics and the PIN code will work in place of MFA authentication. After 30 days, users will need to be online to re-authenticate their username and password.

Single Sign-On (SSO) Logging into CR with SSO for New Users

New CentralReach users, including clients and generic contacts, need to have a primary email and date of birth in the Basics section of their Profile before being converted to a user. After they are converted to a user, they need to sign in to set a password.

When logging into CentralReach with SSO for the first time:

  1. Navigate to login.centralreach.com
  2. Click Forgot Password/First Time User?
  3. Enter your email address in the “Email Address or Username” field and select the reCAPTCHA checkbox.
  4. Click RESET PASSWORD. A “Password reset link sent” message will display to notify users that an email was sent.
  5. In the email, click Reset Password and enter a password in the “New Password” fields. 
  6. Click RESET PASSWORD
  7. In the “Password Reset” screen, select click here to continue to be directed to the login screen. 
  8. Enter your login credentials and click Login
  9. In the “Email Validation Required” screen, review the email address and click SEND CONFIRMATION EMAIL.
  10. A validation email will be sent. Confirm the email address.
  11. Return to the login screen and log in with your new username and password. Users will be directed to their CentralReach account.

Client Portal / Single Sign-On (SSO) Logging into the Client Portal for the First Time

New CentralReach users, including clients and generic contacts, need to have a primary email and date of birth in the Basics section of their Profile before being converted to a user. After they are converted to a user, they need to sign in to set a password.

When logging into the CentralReach Client Portal with SSO for the first time:

  1. Navigate to login.centralreach.com
  2. Click Forgot Password/First Time User?
  3. Enter your email address in the “Email Address or Username” field and select the reCAPTCHA checkbox.
  4. Click RESET PASSWORD. A “Password reset link sent” message will display to notify users that an email was sent.
  5. In the email, click Reset Password and enter a password in the “New Password” fields. 
  6. Click RESET PASSWORD
  7. In the “Password Reset” screen, select click here to continue to be directed to the login screen.
  8. In the “Email Validation Required” screen, review the email address and click SEND CONFIRMATION EMAIL.
  9. A validation email will be sent. Confirm the email address.
  10. Return to the login screen and log in with your username and password. Users will be directed to the CentralReach Client Portal.

Client Portal / Single Sign-On (SSO) Logging into the Client Portal with SSO

To log into the Client Portal:

  1. Navigate to login.centralreach.com
  2. Enter your username and password, and click LOG IN
  3. If your email address needs to be validated:
    • In the “Email Validation Required” screen, review the email address and click SEND CONFIRMATION EMAIL.
    • A validation email will be sent. Confirm the email address, which will then become your username.
    • Return to the login screen and log in with your username and password.
  4. If Multi-Factor Authentication (MFA) is disabled, users will be directed to the CentralReach Client Portal.
  5. If MFA is enabled:
    • Select either Authenticator App or Send email in the “Two Factor Authentication” screen.
      • If “Authenticator App” was selected, scan the QR code on a mobile device and enter the 6 digit verification code.
        • Click Verify Device
      • If “Send email” was selected, click Select Provider
  6. Users will be directed to the CentralReach Client Portal.

Single Sign-On (SSO) Managing SSO Users

Organizations can manage SSO users that have validated their email address in the “Manage Users” subsection of the Organization Profile settings.

To manage SSO users:

  1. In CentralReach, navigate to the organization’s username in the upper right-hand corner and select Single Sign On Settings
  2. Click the Manage Users subsection under “Organization Profile”
  3. Enter and select a user in the “Find users…” search bar
  4. After selecting a user, Basic Information and Multi-Factor Authentication sections will display.
    • The organization can only enable/disable MFA for the user in the “Multi-Factor Authentication” section.

Single Sign-On (SSO) Setting up Multi-Factor Authentication (MFA) Individually

If an organization does not enable Multi-Factor Authentication (MFA), users can utilize this feature individually. 

To set up MFA:

  1. In CentralReach, navigate to the username in the upper right-hand corner and select Single Sign On Settings
  2. Click Security under the “User Profile” section
  3. Click SET UP AUTHENTICATION and select either Authenticator or Email. This will determine how a code will be sent, either through an authenticator application or via email.

4. Click SELECT PROVIDER

5. If “Authenticator” is selected:

    • Follow the instructions in the “Verify Multi-Factor Device” pop-up.
    • Input the unique code in the “Code” field and click VERIFY DEVICE.

6. If “Email” is selected, click SELECT PROVIDER.

    • The next time you sign into your account you will receive a code via email to enter in the “Code” field.

MFA will now be enabled the next time users sign into their account.

Contacts / Editing / Profile / Single Sign-On (SSO) Updating an Email Address

Users can update their email address for their SSO account.

To update an email address from My Profile:

  1. In CentralReach, navigate to My Profile and select Basics
  2. Under the “Primary Email” field, click Change email address
  3. In the “Change Email” screen, enter an email address and click SEND VALIDATION EMAIL
    • When entering a new email address, if it is already registered to an account, users will receive a warning message.
  4. In the email, click Confirm
  5. Return to the login screen and log in with your new email address/ username and password.

To update an email address from SSO settings:

  1. In CentralReach, navigate to your username and select Single Sign On Settings
  2. In the “Basic Information” section, click CHANGE EMAIL
  3. Enter a new email address and click SEND VALIDATION EMAIL
    • When entering a new email address, if it is already registered to an account, users will receive a warning message.
  4. An email will be sent with a link to validate the email address.
    • Users can click CANCEL PENDING CHANGE to cancel the email address change.
  5. In the email, click Confirm
  6. Return to the login screen and log in with your new email address/ username and password.