Single Sign-On (SSO)

CR Mobile / Single Sign-On (SSO) CR Mobile and SSO FAQ

1. What will the new CR Mobile and SSO workflow experience be?

Users can complete their first-time authentication (validating their email) on the browser or in the CR Mobile application. However, since users will be directed to the same SSO website from either experience, CR Mobile users must have an online connection every time they re-authenticate their username and password.

For first-time authentication, it is recommended for users to validate their email address in CentralReach (browser) prior to signing into CR Mobile.

2. What is “Biometrics”?

Biometrics is the option to use Face ID or Touch ID when signing into CR Mobile. This feature depends on the mobile device’s capabilities. Therefore, if a mobile device does not support Face ID or Touch ID, users will not have the ability to enable this feature.

3. Will I need to do MFA and biometrics every time I use the app?

Yes, biometrics (Face ID/ Touch ID) will need to be completed every time users access the application. Biometrics will “replace” the security code needed to access the application. If biometrics is not set up, users will enter their PIN code when accessing the application.

Biometrics is used in place of the Multi-Factor Authentication (MFA) verification code. If MFA is enabled, CR Mobile users need either an authenticator application or access to an email address when logging in, along with their username, password, and security code. Please note, users must be connected to the Internet when re-authenticating their username and password.

Single Sign-On (SSO) Multi-Factor Authentication (MFA)

Single Sign On (SSO) provides the option to add Multi-Factor Authentication (MFA) to CentralReach accounts. MFA adds an extra layer of security by requiring an authenticator application or access to an email address. 

Using only a password to protect a CentralReach account is susceptible to security threats because it only represents a single piece of information needed to acquire access to the account. Upon logging in, users will validate their email address and input a code sent via an authenticator app or email.

Enabling and disabling MFA can be done in the organization account. Click here to learn how. If an organization does not enable MFA, users can utilize this feature individually. Click here to learn how to set up MFA individually.

Single Sign-On (SSO) Preparing for Single Sign On (SSO)

Before Single Sign On (SSO) is enabled, organizations should:

  1. Check that each user has a unique email address in the “Primary Email” field in their profile.
  2. Ensure each user has access to that unique email address to validate when logging in and for resetting their CR account password.

Single Sign-On (SSO) SSO Connection Statuses

The following explains the SSO connection statuses and how users can facilitate access into CentralReach.

  • Pending Migration: User exists in CentralReach, but has not verified their login credentials for access.
    • This displays when:
      • Users had a username before V7.7 and have not logged in since.
      • Users were imported into CentralReach via an automated process:
        • To access CR: Navigate to, select Forgot password / First time user, and initiate the migration process using the email on file. 
  • Unverified: User has not confirmed their email address.
    • This happens when: 
      • Admins converted the contact into a user in CentralReach, but the user has not confirmed their email address. 
      • The user is imported via Custom Contact Forms with the “Send login information” checkbox selected.
    • To access CR: Users must select Confirm access in the “Verify your linked account” email. Once confirmed, navigate to, click Forgot password / First time user, and initiate the migration process using the email on file.
  • Verified: User confirmed their email address, has SSO access, and can log into CentralReach.
  • Contact: Does not have access to SSO or CentralReach.
    • This occurs when: 
      • Contacts imported via a default intake form (preconfigured form in CR) automatically gain this status. 
      • Contacts created via custom contact forms were created without the “Send login information” checkbox selected.
      • Contacts that previously had SSO access, but have been manually removed also have this status.
    • To access CR: Admins must “Convert to user” from the Basics section of their Profile, after adding a DOB, to provide user access. This changes the status to “Unverified.” Follow the Unverified steps above to grant access to CentralReach.

Single Sign-On (SSO) SSO FAQ

1. How should I prepare for SSO?

Click here for a help article to learn more.

2. Will CR Go be affected by SSO?

SSO will not affect CR Go. Users will sign into the application as they currently are. However, when signing into CR Go after validating your email address in CentralReach, you will need to use your “new” username to access CR Go.

3. What products are included in CentralReach SSO?

The first stage of SSO (the 7.7 release) is only for the CentralReach enterprise platform, including CR Mobile and the Client Portal.

4. Can organizations opt-out of SSO?

No, all CentralReach organizations and users will experience the SSO login experience.

Single Sign-On (SSO) SSO Profile Settings

Users can view and edit their profile settings by navigating to their username in the upper right-hand corner in CentralReach and selecting Single Sign-On Settings. Or, users can navigate to My Profile and select Login & Access.

Please note, users can only:

  • View “Login & Access” for their account.
  • Modify SSO settings for their account.

SSO profile settings contain a “User Profile” section. Organizations also have an “Organization Profile” section. The User Profile section includes the following subsections:

  • Basic Information: contains the option to add a profile image, user’s email address, display name, first and last names, time zone, and locale.
    • Users can modify their SSO display name, but it will not update their name in CentralReach.
    • Please note, only users with the (Contacts > Manage Own Basic Info) permission can modify their first and last names in the Basics section of their CentralReach Profile.
      • Users with the (Contacts > Manage Employees) permissions can modify other users’ first and last names in the Basics section of their CentralReach Profile.
      • Users with Client-Admin permissions can modify clients’ first and last names in the Basics section of their CentralReach Profile.
    • To add a profile image, hover over the circle next to the username and click the camera icon.

    • In the “Upload image” pop-up, drag or select a file to upload as your SSO profile image. After the image is uploaded, crop it and click SAVE IMAGE.
      • The profile image will not change the users’ image in CentralReach.
  • Security: the current account password, as well as a “Password” field for users to change their passwords. Users can enable Multi-Factor Authentication (MFA) if their organization does not require it.

In the organization’s account, the Organization Profile section includes the following subsections:

  • Company Information: the organization name, time zone, locale, and date format.
    • Organization’s can edit time zone, locale, and date format in SSO settings only.
    • The organization name is synced from CentralReach and cannot be edited in SSO.
  • Security Settings: password expiration and session timeout can be adjusted for all users. Organizations can also enable/disable MFA.
    • Password expiration: 15 days, 30 days, 45 days, 60 days, 90 days, 180 days.
    • Session timeout: CentralReach default 15 minutes, 30 minutes, 45 minutes, 60 minutes, 120 minutes.
  • Manage Users: the organization can search for users that have validated their email address and view their profile settings. Organizations can also enable MFA for users.