# Sign-In Settings ### Overview Veza supports SAML and OIDC-based Single Sign-On (SSO) for seamless authentication with third-party Identity Providers (IdPs) like Okta and Azure AD. Platform features include session idle timeout, API key-based programmatic access, SCIM provisioning for external user management, and IdP-managed role assignments. Local accounts and multi-factor authentication are also supported for added security. ### General Settings #### Session Idle Timeout This setting defines the maximum idle time before a user is automatically logged out of Veza. The default value is 30 minutes, but you can adjust it to meet your organization's security requirements. This applies to all users, regardless of their authentication method (SSO or local accounts). ### SSO SSO configures SAML and OIDC SSO mechanisms. The following configuration features are available for both the SAML and OIDC: 1. **Attribute Mapping:** Map user attributes from the incoming SAML assertion or OIDC claim to corresponding attributes within Veza. * Available in SAML and OIDC configuration pages. 2. **Role Mapping:** Map groups from the incoming SAML assertion or OIDC claim to Veza teams and roles. * Available in SAML and OIDC configuration pages. 3. **SSO Redirect:** When SSO is active, users attempting to log in to Veza are automatically redirected to their Identity Provider (IdP) login page. 4. **IdP-Managed Role Assignments:** Push group assignments from your IdP to Veza. #### SAML Veza supports SAML, the XML-based standard for single-sign-on. When enabled, users can log in to Veza using a third-party Identity Provider, such as OneLogin, Okta, Azure AD, or a custom provider. After registering Veza as a SAML service provider (SP) with your IdP and configuring and enabling from the **Administration** cog icon (at the bottom of the navigation sidebar) > *Sign-in Settings*, you will be able to assign access to Veza directly from the IdP. The login page will offer the option to "Login with SSO" and redirect users to your IdP for authentication. Our [SAML guide](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/saml.md) has instructions to configure SAML as your SSO provider. We offer more detailed instructions for configuring SAML SSO with [Okta](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/saml/saml-okta.md) and [Microsoft Entra (Azure AD)](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/saml/saml-entra.md). #### OIDC Our [OIDC guide](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/oidc.md) has instructions to configure OIDC as your SSO provider. We have a detailed guide for configuring OIDC SSO with [Okta](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/oidc/oidc-okta.md). #### SSO Redirect When SSO is enabled, users will be redirected to the IdP login page when they attempt to log in to Veza. If you want to disable this behavior, go to **Administration** > *Sign-in Settings* and toggle the **SSO Redirect** option. {% hint style="info" %} To access the standard login page when SSO redirect is active, add `?no_redirect` to the end of your login URL. For example: `https://mycompany.vezacloud.com/login?no_redirect`. {% endhint %} {% hint style="warning" %} SSO Redirect applies when users navigate to the `/login` URL (for example, `https://mycompany.vezacloud.com/login`). Navigating directly to the base URL may not trigger the automatic redirect. Share or bookmark the `/login` URL to ensure users are redirected to your IdP. {% endhint %} #### Enabling or disabling IdP-managed role assignments Depending on Veza system settings, group assignments in your IdP can take precedence over changes to teams or roles made by an administrator on the Veza **User Management** page. To change this setting, find the **Identity Provider Managed Roles** option under Veza **Sign-in Settings**: 1. Go to Veza **Administration** > *Sign-in Settings* and find **Identity Provider Managed Roles**. * When this option is disabled, any assignments based on IdP roles only apply the first time a user logs in. * When enabled, user management within Veza is prevented, and your identity provider is the single source of truth for Veza teams and roles. 2. Click the toggle to enable or disable the setting. {% hint style="info" %} This option is enabled by default for new customers. Disable it if you prefer to use Veza's internal settings or do not use your identity provider for role management. If disabled, you should configure role forwarding for your Identity Provider before opting in. See [Role Mapping](/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings/sso-feature-role-mapping.md) for the expected values. {% endhint %} ### Global IdP Settings #### Single Sign-On for Access Reviewers Using Single Sign-On in combination with a [Global Workflows Identity Provider](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/global-idp-settings.md), Workflow certification reviewers can be auto-assigned using Identity Provider metadata and log in to Veza using SSO to act on their assigned certifications. As the default role for SSO users is `access_reviewer`, this will enable limited access for all users in your organization, without exposing other Veza features or certifications that the user is not involved in. {% hint style="danger" %} When configuring the SAML settings for a new app, ensure that the user's Veza application username is the same as their username for the IdP. This will allow Veza to correctly identify and authenticate managers who are [auto-assigned](/4yItIzMvkpAvMVFAamTf/features/access-reviews/configuration/managers-and-resource-owners.md). {% endhint %} ### API Keys **API Keys** section contains settings for programmatic access. #### Enable API Keys The **Enable API Keys** setting allows the creation and use of personal and team API keys. Personal API keys are associated with a specific user and can be used to access the Veza API on behalf of that user. Team API keys are associated with a specific team principal. {% hint style="info" %} Our [API documentation](/4yItIzMvkpAvMVFAamTf/developers/api.md) discusses how to invoke Veza APIs. {% endhint %} ### Local **Local** section contains settings for local accounts. #### Enable Local Accounts The **Enable Local Accounts** setting allows the creation and use of accounts authenticated with an email address and password. Disabling this setting will restrict login options to only Single Sign-On (SSO). Associated personal API keys are also disabled. {% hint style="info" %} We recommend maintaining at least one local account for "emergency break glass" access. {% endhint %} #### Enabling Multi-Factor Authentication You can enable 2-factor authentication for local accounts under **Administration** > *Sign-in Settings*. When enabled, **ALL LOCAL ACCOUNTS** will be prompted when they first log in to register an authenticator app by scanning a QR code and entering the one-time code (Google Authenticator for [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) or [iOS](https://apps.apple.com/us/app/google-authenticator/id388497605)). {% hint style="warning" %} Note that if you enable, disable, and then re-enable MFA, you will need to have your original authenticator configuration to log back in. If you no longer have the original pair in your authenticator app, you will need to initiate the recovery process (providing the one-time recovery code created during initial MFA registration) to regain access. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/administration/administration/sign-in-settings.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.