Authentication and SSO

Restricting sign-in methods

Organization admins can set sign-in restrictions to control how members are able to authenticate when accessing their Mode Workspace.

  1. Navigate to the Mode home page.
  2. Click on your name in the upper left corner.
  3. Click

    Workspace Settings

    from the dropdown menu.
  4. In the People section, click on

    Member Authorization

    .

By default, users can log into your Mode Workspace with all of the following methods of access. Toggle off any methods that you do not want to allow users to authenticate with:

  • Username and password
  • Google
  • Slack
  • Office365
  • SAML provider of your choice (if configured)

WARNING

: Do not disable all sign-in methods. If all methods are disabled it will be impossible for anyone to sign-in to your Workspace, including admins, and you will need to contact our success team for assistance.

Custom SAML

Admins may define one more more custom SAML identity providers that your Mode Workspace can use to authenticate users:

  1. Navigate to the Mode home page, click on your name in the upper left corner of the screen and click

    Workspace Settings

    from the dropdown menu.
  2. In the People section, click on

    Member Authorization

    .
  3. To add a new SAML provider, click

    + Add New Provider

    . To edit or delete an existing provider, click the

    gear

    next to it in the list and click

    Edit

    or

    Delete

    .
  4. Enter the SAML configuration and click

    Update

    when you are finished.

Custom providers will automatically create user accounts in Mode for emails that match your organization’s claimed domain. Setup is required for each provider. Once you create a new provider in Mode settings, you will see the following information which may be required for set up in your SAML provider:

  • Assertion Consumer Service URL
  • Entity ID
  • Provider Token

SAML Provider details

SCIM

SCIM is a protocol that lets enterprise identity providers (IdPs) integrate with and provision applications. This allows large Workspaces to keep all of their applications up to date with their org chart and maintain centralized control of app and data permissions.

Once you are integrated through SCIM, you will be able to provision users into Mode and manage Mode group memberships through your IdP, rather than needing to do it within the Mode UI. This allows you to manage Mode from the same place and in the same way that you manage other applications, and synchronize identity information like name and email across all of the apps that your members use.

The effect is a less tedious workflow for application administrators, resulting in tighter security and a more effective and accurate deployment of Mode into your org.

Note: Ideally, a SCIM API is agnostic to which IdP an organization uses. But each IdP has small quirks in their implementation so we will release support for one IdP at a time. We are starting with

Okta

, but will be releasing support for additional IdPs in the future.

Supported Features

The following provisioning features are supported:

  • Push New Users

    : New users created through OKTA will also be provisioned in Mode.
  • Push User Deactivation

    : Deactivating the user through OKTA will remove the user from the Workspace and all groups in Mode. If they are reactivated they will need to have any groups reassigned to restore associated resource entitlements.
  • Push Profile Updates

    : Updates made to the user's profile through OKTA will be pushed to the third party application. First Name and Last Name will be combined as the Full Name in Mode.
  • Group Push

    : Groups and their members can be pushed to Mode. You can find more information about using group push operations here: Using Group Push.
  • Reactivate Users

    : Reactivating the user through Okta will reactivate the user in Mode. They will need to have any groups reassigned to restore associated resource entitlements.

Import Users

,

Import Groups

, and

Sync Password

are not currently supported.

Requirements

Mode requires that SCIM customers have completed the SAML setup process and have a working Okta-Mode integration before setting up provisioning features with SCIM. If you wish to use SCIM, your Mode Workspace must have SAML configured as the sole signin method.

Attributes and Mappings

Mode supports users pushed from Okta with Okta mastering the userName, givenName, familyName, email, and emailType attributes. Mode uses only the user’s primary email internally. While Mode accepts any userName, we recommend that this attribute be set to the primary email (the Okta default).

Mode-mastered attributes are only supported in the initial SCIM setup and matching process.

Mode supports designating admin users via specifying admin as the value of the role attribute. Other values for role will be ignored.

Specify admins in Okta to ensure users retain their Mode roles. To see who is currently an Admin, go to Workspace Settings > Members in Mode.

Attribute Mappings Screenshot

Users and Groups

Mode supports Group Push with Okta, which allows admins to push groups from Okta to Mode, as well as manage groups that were created in Mode through Okta.

Note: Users need to be assigned to the Mode application before they will be included in pushes of Groups that contain them.

For more information on Group Push, see Okta's documentation on Using Group Push and Enhanced Group Push.

Session expiration

By default, logged-in sessions to Mode expire after 30 days, at which point users must re-authenticate. If you are an admin and would like to adjust the session expiration length for your Workspace, please contact us.

Was this article helpful?

decorative particle

Get our weekly data newsletter

Work-related distractions for every data enthusiast.