Single Sign-On (SSO)

CR Mobile / Single Sign-On (SSO) CR Mobile and SSO FAQ

1. What will the new CR Mobile and SSO workflow experience be?

Users can complete their first-time authentication (validating their email) on the browser or in the CR Mobile application. However, since users will be directed to the same SSO website from either experience, CR Mobile users must have an online connection every time they re-authenticate their username and password.

For first-time authentication, it is recommended for users to validate their email address in CentralReach (browser) prior to signing into CR Mobile.

2. What is “Biometrics”?

Biometrics is the option to use Face ID or Touch ID when signing into CR Mobile. This feature depends on the mobile device’s capabilities. Therefore, if a mobile device does not support Face ID or Touch ID, users will not have the ability to enable this feature.

3. Will I need to do MFA and biometrics every time I use the app?

Yes, biometrics (Face ID/ Touch ID) will need to be completed every time users access the application. Biometrics will “replace” the security code needed to access the application. If biometrics is not set up, users will enter their PIN code when accessing the application.

Biometrics is used in place of the Multi-Factor Authentication (MFA) verification code. If MFA is enabled, CR Mobile users need either an authenticator application or access to an email address when logging in, along with their username, password, and security code. Please note, users must be connected to the Internet when re-authenticating their username and password.

Single Sign-On (SSO) Multi-Factor Authentication (MFA)

Single Sign On (SSO) provides the option to add Multi-Factor Authentication (MFA) to CentralReach accounts. MFA adds an extra layer of security by requiring an authenticator application or access to an email address. 

Using only a password to protect a CentralReach account is susceptible to security threats because it only represents a single piece of information needed to acquire access to the account. Upon logging in, users will validate their email address and input a code sent via an authenticator app or email.

Enabling and disabling MFA can be done in the organization account. Click here to learn how. If an organization does not enable MFA, users can utilize this feature individually. Click here to learn how to set up MFA individually.

Single Sign-On (SSO) Preparing for Single Sign On (SSO)

Before Single Sign On (SSO) is enabled, organizations should:

  1. Check that each user has a unique email address in the “Primary Email” field in their profile.
  2. Ensure each user has access to that unique email address to validate when logging in and for resetting their CR account password.

Single Sign-On (SSO) SSO FAQ

1. How should I prepare for SSO?

Click here for a help article to learn more.

2. Will CR Go be affected by SSO?

SSO will not affect CR Go. Users will sign into the application as they currently are. However, when signing into CR Go after validating your email address in CentralReach, you will need to use your “new” username to access CR Go.

3. What products are included in CentralReach SSO?

The first stage of SSO (the 7.7 release) is only for the CentralReach enterprise platform, including CR Mobile and the Client Portal.

4. Can organizations opt-out of SSO?

No, all CentralReach organizations and users will experience the SSO login experience.

5. Are Network Providers affected by SSO?

When creating Network Providers, they will need to go through the “Forgot Password / First Time User” workflow in the login page to set a password in SSO and access their accounts. However, Network Providers are not affected by SSO after going through the first-time user process.

Single Sign-On (SSO) SSO Profile Settings

Users can view and edit their profile settings by navigating to their username in the upper right-hand corner in CentralReach and selecting Single Sign On Settings. Or, users can navigate to My Profile and select Login & Access.

Please note, users can only:

  • View “Login & Access” for their account.
  • Modify SSO settings for their account.

SSO profile settings contain a “User Profile” section. Organization’s also have an “Organization Profile” section. The User Profile section includes the following subsections:

  • Basic Information: contains the option to add a profile image, user’s email address, display name, first and last names, time zone, and locale.
    • Users can modify their SSO display name, but it will not update their name in CentralReach.
    • Please note, only users with the (Contacts > Manage Own Basic Info) permission can modify their first and last names in the Basics section of their CentralReach Profile.
      • Users with the (Contacts > Manage Employees) permissions can modify other users’ first and last names in the Basics section of their CentralReach Profile.
      • Users with Client-Admin permissions can modify clients’ first and last names in the Basics section of their CentralReach Profile.
    • To add a profile image, hover over the circle next to the username and click the camera icon.

    • In the “Upload image” pop-up, drag or select a file to upload as your SSO profile image. After the image is uploaded, crop it and click SAVE IMAGE.
      • The profile image will not change the users’ image in CentralReach.
  • Security: the current account password, as well as a “Password” field for users to change their passwords. Users can enable Multi-Factor Authentication (MFA) if their organization does not require it.

In the organization’s account, the Organization Profile section includes the following subsections:

  • Company Information: the organization name, time zone, locale, and date format.
    • Organization’s can edit time zone, locale, and date format in SSO settings only.
    • The organization name is synced from CentralReach and cannot be edited in SSO.
  • Security Settings: password expiration and session timeout can be adjusted for all users. Organizations can also enable/disable MFA.
    • Password expiration: 15 days, 30 days, 45 days, 60 days, 90 days, 180 days.
    • Session timeout: CentralReach default 15 minutes, 30 minutes, 45 minutes, 60 minutes, 120 minutes.
  • Manage Users: the organization can search for users that have validated their email address and view their profile settings. Organizations can also enable MFA for users.