Documentation forSolarWinds Service Desk

Login Policy

Overview

As data protection is always a high priority, administrators can configure the following login policies to further increase data protection while balancing the efficiency and safety requirements desired for your users.

To define your organization's login policy, navigate to Setup > Account > Login Policy. Policies include:

  • Multi-factor authentication. Select between mobile phone, email or Google Authenticator (available on all Enterprise Plans).
  • Password policy. Customize your password policies to the desired security settings, such as minimum password length, password complexity requirements, length of time before password must be changed, and maximum number of invalid login attempts.
  • Session timeout definition. Select between interval-based (frequency of logins required) or inactivity-based (re-login required if user has been inactive for a specified period of time).

After an administrator activates the MFA process, your users will be prompted upon their next login to set up their MFA method of authentication:

  • Mobile phone
  • Email
  • Google Authentication

Single sign-on and MFA

If your organization is already using Single Sign-On (SSO) as your authentication process, you can integrate the SSO feature with SWSD. SSO vendors usually offer built-in MFA support, so SSO will supercede MFA authentication.

SWSD MFA is a highly secured login option for customers not currently using SSO. It does not require the services of any additional vendors.

Additional use of MFA would be for external users. Even if your internal team identifies upon login via SSO, external users such as outside contractors can safely login to SWSD via MFA without an SSO account.

For more information about single sign-on, seeSingle Sign-On

Multi-Factor Authentication (MFA)

To activate multi-factor authentication for some or all of your users:

  1. Navigate to Setup > Account > Login Policy, and toggle the pill bar to On.
  2. Apply to all users or specific roles. If you select Specific roles, click in the Specify roles field to define which roles from the dropdown menu.

    If you select Specific Roles but fail to specify which roles, multi-factor authentication will not be activated.
  3. Under Method, select the method(s) of authentication. You can select one, two, or all three options listed.

See additional information related to multi-factor authentication in Reset MFA setup for a specific userand MFA user experience.

Password Policy

SWSD offers a number of customization options that allow you to modify your password policies to achieve the desired security settings for both your requesters and service agent users.

Password policy changes will not take effect until the next time users change their passwords. Also note that if you are using an SSO provider, the SSO password policy will supersede the policy options you select. You will need to adjust the settings for your SSO Gateway with your provider to achieve the desired security setting.
Using the two tabs (Requester and Non-Requester) set the following for the selected user role.
  • Minimum password length

  • Password complexity requirements

  • Password expires

  • Maximum invalid login attempts

Session timeout definition

Customization options allow you to modify your session policies to require requesters and service agent user to re-login after set time parameters. Select one of the options to set the time period for your desired security setting, and select a timeframe for that option.

  • Interval based

  • Inactivity based

Reset MFA setup for a specific user

If at any time a user is unable to complete the login authentication process due to a change in phone number or an unexpected error, an administrator can reset the MFA setup via the button in the User index.

  1. Navigate to Users & Groups > Users.

  2. From the Users index page, click the link to the user's name to open the record.

  3. Click Actions and select Reset multi-factor auth. setup.

MFA user experience

Upon first login after MFA is activated by an administator, the user will be prompted on the user desktop and any mobile devices using SWSD.

If the authentication method is mobile phone:

  1. The user is informed of the new authentication step and is asked to enter a mobile number.

  2. A code is sent to the mobile number provided. The user must enter the code at the verification prompt.

    The code is only valid for 30 minutes, after which a new code is required.

If the authentication method is Google Authenticator:

  1. The user can scan the QR code and enter the verification code provided.

  2. The user will be prompted to provide a verification method.

  3. After initial setup, the user will always receive a prompt to select which method to receive a verification code.

When a user updates their mobile number on the User profile page, and MFA is active, they need to click Verify to authenticate the phone number via MFA.