Single Sign-On (SSO)

CR Mobile / Single Sign-On (SSO) CR Mobile and SSO FAQ

1. What will the new CR Mobile and SSO workflow experience be?

Users can complete their first-time authentication (validating their email) on the browser or in the CR Mobile application. However, since users will be directed to the same SSO website from either experience, CR Mobile users must have an online connection every time they re-authenticate their email address and password.

For first-time authentication, it is recommended for users to validate their email address in CentralReach (browser) prior to signing into CR Mobile.

2. What is “Biometrics”?

Biometrics is the option to use Face ID or Touch ID when signing into CR Mobile. This feature depends on the mobile device’s capabilities. Therefore, if a mobile device does not support Face ID or Touch ID, users will not have the ability to enable this feature.

3. Will I need to do MFA and biometrics every time I use the app?

Yes, biometrics (Face ID/ Touch ID) will need to be completed every time users access the application. Biometrics will “replace” the security code needed to access the application. If biometrics is not set up, users will enter their PIN code when accessing the application.

Biometrics is used in place of the Multi-Factor Authentication (MFA) verification code. If MFA is enabled, CR Mobile users need either an authenticator application or access to an email address when logging in, along with their password and security code. Please note, users must be connected to the Internet when re-authenticating their username and password.

Single Sign-On (SSO) Multi-Factor Authentication (MFA)

Single Sign On (SSO) provides the option to add Multi-Factor Authentication (MFA) to CentralReach accounts. MFA adds an extra layer of security by requiring an authenticator application or access to an email address. 

Using only a password to protect a CentralReach account is susceptible to security threats because it only represents a single piece of information needed to acquire access to the account. Upon logging in, users will validate their email address and input a code sent via an authenticator app or email.

Enabling and disabling MFA can be done in the organization account. Click here to learn how. If an organization does not enable MFA, users can utilize this feature individually. Click here to learn how to set up MFA individually.

Single Sign-On (SSO) Preparing for Single Sign On (SSO)

Before Single Sign On (SSO) is enabled, organizations should:

  1. Check that each user has a unique email address in the “Primary Email” field in their profile.
  2. Ensure each user has access to that unique email address to validate when logging in and for resetting their CR account password.

Single Sign-On (SSO) SSO Connection Statuses

The following explains the SSO connection statuses and how users can facilitate access into CentralReach.

  • Pending Migration: User is not in SSO, but can migrate in order to log into CentralReach
    • This displays when:
      • Users had a username before V7.7 and have not logged in since.
      • The user is added via Custom Contact Forms with the “Set up user without email notification” checkbox selected.
  • Unverified: User exists in SSO, but cannot log into CentralReach until they confirm their email address.
    • This happens when: 
      • Admins converted the contact into a user in CentralReach, but the user has not confirmed their email address. 
      • The user is added via Custom Contact Forms with the “Send email with login information” checkbox selected.
      • The user is added via Custom Contact Forms with the “Send email with login information” and “Send custom email” checkbox selected.
    • To access CR: Users must select Confirm access in the “Verify your linked account” email.
  • Verified: User exists in SSO, has confirmed their email address, and can log into CentralReach.
  • Contact: Does not exist in SSO and cannot log into CentralReach.
    • This occurs when: 
      • Contacts imported via a default intake form (preconfigured form in CR).
      • Contacts created via custom contact forms were created without any of the checkboxes selected. 
      • Contacts that previously had SSO access, but have been manually removed.
    • To access CR: Admins must “Convert to user” from the Basics section of their Profile, to provide user access. This changes the status to “Unverified.” Follow the Unverified steps above to grant access to CentralReach.

Single Sign-On (SSO) SSO Profile Settings

Users can view and edit their profile settings by navigating to their name in the upper right-hand corner in CentralReach and selecting Single Sign-On Settings. Or, users can navigate to My Profile and select Login & Access.

Please note, users can only:

  • View “Login & Access” for their account.
  • Modify SSO settings for their account.

SSO profile settings contain a “User Profile” section. Organizations also have an “Organization Profile” section. The User Profile section includes the following subsections:

  • Basic Information: contains the option to add a profile image, user’s email address, display name, first and last names, time zone, and locale.
    • Users can modify their SSO display name, but it will not update their name in CentralReach.
    • To add a profile image, hover over the circle next to the username and click the camera icon.

    • In the “Upload image” pop-up, drag or select a file to upload as your SSO profile image. After the image is uploaded, crop it and click SAVE IMAGE.
      • The profile image will not change the users’ image in CentralReach.
  • Security: the current account password, as well as a “Password” field for users to change their passwords. Users can enable Multi-Factor Authentication (MFA) if their organization does not require it.

In the organization’s account, the Organization Profile section includes the following subsections:

  • Company Information: the organization name, time zone, locale, and date format.
    • Organizations’ can edit time zone, locale, and date format in SSO settings only.
    • The organization name is synced from CentralReach and cannot be edited in SSO.
  • Security Settings: password expiration and session timeout can be adjusted for all users. Organizations can also enable/disable MFA.
    • Password expiration: 15 days, 30 days, 45 days, 60 days, 90 days, 180 days.
    • Session timeout: CentralReach default 15 minutes, 30 minutes, 45 minutes, 60 minutes, 120 minutes.
  • Manage Users: the organization can search for users that have validated their email address and view their profile settings. Organizations can also enable MFA for users.