Single Sign-On (SSO)

Client Portal / Single Sign-On (SSO) Accessing SSO Settings in the Client Portal

To access SSO Settings in the Client Portal:

  1. On the left-hand side, click the username and select Single Sign On Settings
  2. Client’s can view the following sections in their SSO Settings:
    • Basic Information: contains the email address, display name, first and last name, time zone, and locale.
    • Security: users can enter a new password and enable Multi-Factor Authentication (MFA).

Single Sign-On (SSO) Email Alias Workaround

If an email address is being utilized by another client, employee, or test account:

  1. Use an alias email for each account, such as parentemail+clientsfirstname@email.com.
  2. You will receive a notification that an email verification link has been sent to the alias email address.
  3. Open the email and click Confirm.

Single Sign-On (SSO) Enabling and Disabling Multi-Factor Authentication (MFA) by Organization

Single Sign On (SSO) provides the option to add Multi-Factor Authentication (MFA) to CentralReach accounts. MFA adds an extra layer of security by requiring an authenticator application or access to an email address prior to signing in.

Organizations can enable MFA for the entire organization or per user. If an organization does not require MFA, users can enable it individually.

Organizations can enable MFA:

  1. In CentralReach, navigate to the organization’s name in the upper right-hand corner and select Single Sign On Settings
  2. Click the Security Settings subsection under the “Organization Profile” section
  3. Select the Require Multi-Factor Authentication toggle to turn it blue
  4. Click SAVE. All users in the organization will have MFA enabled.

Organizations can opt certain users out of MFA:

  1. In CentralReach, navigate to the organization’s name in the upper right-hand corner and select Single Sign On Settings
  2. Under “Organization Settings,” select the Manage Users section
  3. Search for a user in the “Find users…” search bar
  4. After selecting a user, their “User Security” section will display. Select OPT OUT OF MULTI-FACTOR AUTHENTICATION. That user will not have MFA enabled in their CentralReach account.

Organizations can disable MFA:

  1. In CentralReach, navigate to the organization’s name in the upper right-hand corner and select Single Sign On Settings
  2. Click the Security Settings subsection under the “Organization Profile” section
  3. Select the Require Multi-Factor Authentication toggle to turn it grey
  4. Click SAVE. All users in the organization will have MFA disabled.

Other / Single Sign-On (SSO) Known Issues and Alternative Workflows

The following are common issues and solutions.

Users are not receiving SSO verification emails and cannot validate their accounts to log in

If users are experiencing this issue:

  1. Look for the email in spam folders, junk folders, and other folders you may have within your inbox email server.
  2. If using Outlook, try using both the app and browser version of Outlook to find the email from CentralReach SSO. 
  3. The email may be blocked on your end, for which the organization needs to reach out to their IT team to allowlist “no-reply@centralreach.com”.
  4. If this does not work, please try with a different email address in the meantime AND submit a case in CR Community to CentralReach support so we can investigate and correct the issue. 

User seeing “Email in use by another user” 

  • The organization account needs to check the emails being utilized by their users via the Contacts module. Ensure the email is not used by another employee, client, or test account. If it is used by another account, use the email alias workaround.

User is linked to an inactive CR Account

  1. If the inactive contact account the user is linked to is within the same organization they currently work for, the user must contact their organization Admin.
  2. The organization Admin needs to search for the user and identify the inactive contact in the Contacts module.
    • Search for and select the inactive profile in the Contacts module 
    • Navigate to their Profile > select Basics > select Make Generic > then Make Active.
      • Please note, if the profile is already a Generic, there is no need to make an Employee, just continue to ‘’Make Active’.
    • In “Linked to email” > Remove Access from the profile.
    • In their Profile > select Basics, select Make Inactive > then Make Employee and choose Convert without a form.
      • Please note, if the profile is already a Generic, there is no need to make an Employee, just continue to “Make Inactive.”
    • The active profile will then proceed with the SSO verification.
  3. If the user is linked to an organization they no longer work for, the user will need to contact CentralReach support for assistance in order to get their accounts linked to the correct organization.

End-clients with multiple learners workflow

If your end clients have more than 1 learner receiving services, here are two workflows they could follow to access their Client Portal accounts. 

  • Option 1: Families with more than one client receiving services can use/create different email addresses for each client. The primary email address being verified and stored in the client profile would be unique. 
    • Ex: firstname.lastname@gmail.com  For Child 1 profile
    • Ex: firstname.lastname@hotmail.com  For Child 2 profile
  • Option 2: Families who have more than one client receiving services can create an email alias for each client. The primary email address being verified and then stored in the client profile should be the alias. The alias can be anything: 
    • Ex: firstname.lastname+child1@gmail.com
    • Ex: firstname.lastname+child2@gmail.com 
      • Please note, some Email Service Providers do not allow aliases.
  • Overall, think of the multiple email addresses in the same way we had different, unique usernames for each client. 

Unable to reset password: I am not getting the email

  1. Look for the email in spam folders, junk folders, and other folders the user may have within their inbox email server.
  2. If using Outlook, try using both the app and browser version of Outlook to find the email from CentralReach SSO.
  3. The email may be blocked on your end, for which the organization needs to reach out to their IT team to whitelist “no-reply@centralreach.com”.
  4. If this does not work, please try with a different email address in the meantime AND submit a case in CR Community to CentralReach support so we can investigate and correct the issue. 
  5. Please have the customer submit a support case in CR Community.

Users with multiple instances cannot log into all of their instances, EVEN IF NAME/EMAIL IS THE SAME

  1. Reverify that the name and email on all accounts is the same and follow this process.
  2. Remove access and convert the user under each of the accounts that need to be linked:
    • Navigate to the Basics section of their Profile and select Remove Access.
    • Click Convert to User
    • The user should now receive the email to complete the validation process and log in using the same email address.
  3. If this does not work, please submit a case in CR Community to CentralReach support so we can investigate and correct the issue.

User seeing “invalid email format” error

  • Check to ensure that there are NO EXTRA SPACES before or after the email in the user’s Profile in CentralReach.

Single Sign-On (SSO) Linking Accounts with SSO

All user types (Clients, Employees, and Generics) utilizing the same email address to access different accounts in CentralReach should follow the process below.

  1. After one user logs into their CentralReach account and validates the email address, the user will not receive the verification email when using the same email to validate themself on their remaining CentralReach accounts, in order to link them. 
  2. The user needs to contact the organization’s admin to link their remaining CentralReach accounts.
  3. The admin needs to log into the CentralReach organization account and navigate to the Contacts module. Select the user(s) that have not received the email to validate their account.
  4. Navigate to the Basics section of their Profile and select Remove Access.
  5. Click Convert to User. The user should now receive the email to complete the validation process and log in using the same email address. 

If the user is the owner of two or more organization accounts that need to be linked using the same email address, please contact CentralReach support to assist in linking the accounts.

Single Sign-On (SSO) Logging into CR with SSO for New Users

New CentralReach users, including clients and generic contacts, need to have a primary email in the Basics section of their Profile before being converted to a user. After they are converted to a user, they need confirm their account and set up a password.

When logging into CentralReach with SSO for the first time:

  1. Navigate to login.centralreach.com
  2. Click First Time User?
  3. Select CentralReach
  4. Enter your email address in the “Email Address” field and select the reCAPTCHA checkbox, then click Send Link.
    • If the user exists within CentralReach, they will receive a “Set up your CentralReach Account” email.
  5. Select Confirm Access & Set Up Password to navigate to the “Set Password” screen. 
  6. When the password meets CentralReach’s requirements and is accepted, the page reloads and displays a hyperlinked “click here to continue” message that redirects users to the login screen. 
  7. Upon returning to the login screen, log in with your email address and password. Users will be directed to their CentralReach account.

Client Portal / Single Sign-On (SSO) Logging into the Client Portal for the First Time

New CentralReach users, including clients and generic contacts, need to have a primary email in the Basics section of their Profile before being converted to a user. After they are converted to a user, they need to verify their email before setting up their CentralReach account.

When logging into the CentralReach Client Portal with SSO for the first time:

  1. Navigate to login.centralreach.com
  2. Click First Time User?
  3. Select CentralReach
  4. Enter your email address in the “Email Address” field and select the reCAPTCHA checkbox, then select Send Link.
    • If the user exists within CentralReach, they will receive a “Set up your CentralReach Account” email. An email is not sent if the user does not exist within CentralReach. 
  5. Select Confirm Access & Set Up Password in the email to navigate to the “Set Password” screen. 
  6. When the password meets CentralReach’s requirements and is accepted, the page reloads and displays a hyperlinked “click here to continue” message that redirects users to the login screen.
  7. Upon returning to the login screen, log in with your email address and password. Users will be directed to the CentralReach Client Portal.

Client Portal / Single Sign-On (SSO) Logging into the Client Portal with SSO

To log into the Client Portal:

  1. Navigate to login.centralreach.com
  2. Enter your username and password, and click LOG IN
  3. If your email address needs to be validated:
    • In the “Email Validation Required” screen, review the email address and click SEND CONFIRMATION EMAIL.
    • Set up a password.
    • Return to the login screen and log in with your email address and password.

Single Sign-On (SSO) Managing SSO Users

Organizations can manage SSO users that have validated their email address in the “Manage Users” subsection of the Organization Profile settings.

To manage SSO users:

  1. In CentralReach, navigate to the organization’s name in the upper right-hand corner and select Single Sign On Settings
  2. Click the Manage Users subsection under “Organization Profile”
  3. Enter and select a user in the “Find users…” search bar
  4. After selecting a user, Basic Information and Multi-Factor Authentication sections will display.
    • The organization can only enable/disable MFA for the user in the “Multi-Factor Authentication” section.

Single Sign-On (SSO) Setting up Multi-Factor Authentication (MFA) Individually

If an organization does not enable Multi-Factor Authentication (MFA), users can utilize this feature individually. 

To set up MFA:

  1. In CentralReach, navigate to the name in the upper right-hand corner and select Single Sign On Settings
  2. Click Security under the “User Profile” section
  3. Click SET UP AUTHENTICATION and select either Authenticator or Email. This will determine how a code will be sent, either through an authenticator application or via email.

4. Click SELECT PROVIDER

5. If “Authenticator” is selected:

    • Follow the instructions in the “Verify Multi-Factor Device” pop-up.
    • Input the unique code in the “Code” field and click VERIFY DEVICE.

6. If “Email” is selected, click SELECT PROVIDER.

    • The next time you sign into your account you will receive a code via email to enter in the “Code” field.

MFA will now be enabled the next time users sign into their account.

Contacts / Editing / Profile / Single Sign-On (SSO) Updating an Email Address

To update an email address from My Profile:

  1. In CentralReach, navigate to My Profile and select Basics
  2. Under the “Primary Email” field, click Change email address
  3. In the “Change Email” screen, enter an email address and click SEND VALIDATION EMAIL
    • When entering a new email address, if it is already registered to an account, users will receive a warning message.
    • To send the verification email again, click Resend verification email
  4. In the email, click Confirm
  5. Return to the login screen and log in with your new email address and password.