About email sign-in accounts and SSO¶
Email sign-in accounts provide an alternative authentication method for accessing the Venafi Control Plane, particularly when Single Sign-On (SSO) is unavailable. This feature ensures that administrators and authorized users can maintain secure access under all circumstances.
Accounts that have email sign-in enabled can also sign in using SSO, assuming SSO is enabled and configured on your Control Plane account.
IMPORTANT
The primary purpose for allowing email sign-in is for situations in which your SSO goes offline—either intentionally or due to an outage of your SSO service—and an alternate authentication method is required.
As a matter of tightening security, using an email sign-in to authenticate with TLS Protect Cloud should be reserved for authorized administrators only in cases where SSO isn't available.
Features and benefits¶
- Backup authentication: Email sign-in accounts serve as a fallback authentication method when SSO is offline, whether due to scheduled maintenance or unexpected outages.
- Administrator access: This method is primarily intended for authorized administrators who require continuous access to the Venafi Control Plane.
- Enhanced security: By enabling email sign-in, administrators can ensure secure access without relying solely on SSO, improving resilience against potential authentication disruptions.
- Flexible user management: Administrators can enable or disable email sign-in for specific users based on role-based access needs.
About password reset functionality¶
To further enhance security, Venafi Control Plane enforces periodic password resets for email sign-in accounts:
- Admin-initiated resets: Administrators can require users to reset their passwords at any time, providing additional security controls when necessary.
- Annual password expiration: Users with email sign-in accounts are required to reset their passwords on a regular cadence to maintain account security.
- Automatic redirection: When a password expires, users are automatically redirected to the password reset page for a seamless update process.
Requirements and compatibility¶
- Prerequisites: A Venafi Control Plane administrator must enable the email sign-in option for user accounts.
- Compatibility: Email sign-in accounts work with all local user accounts and integrate seamlessly with existing security protocols.
Next steps¶
Administrators can perform any of the following next steps:
- Enable or disable the email sign-in option for a user account.
- Enable a required password reset for a user account that has email sign-in enabled.