Admin > Manage Security

The Berkshire Client Portal has been enhanced to now include Multi-factor Authentication (MFA) and Single Sign-On. Administrators can activate these features on the Manage Security page. The Manage Security page can be found under the Admin section of the drop-down menu in the top right of every BCP page.

Multi-factor Authentication (MFA)

Multi-factor Authentication (MFA) is a secondary authentication method, in addition to username and password, that requires a user to also enter a Time-Based One-Time Password (TOTP) to gain access. Activation of this option, for your account, is available through the Manage Security page.

To activate this feature, select the Require MFA for all users checkbox and then click the [Save] action on the right. All users, at their next log in, will then be instructed to scan the displayed QR code using Google Authenticator, Microsoft Authenticator, Authy or other similar applications.

Once the code is scanned, the application will create a random six digit code that will be used every time you login to the Berkshire Client Portal. This code will refresh every 30 seconds to ensure it is unique every time they login.

In the event a user loses, or misplaces their code, the Administrator must go to the Manage Users page and use the Reset MFA Token action located in the action drop-down.

Single Sign-On

The Berkshire Client Portal supports Single Sign-On via any Identity Provider that supports SAML 2.0. Single Sign-On (SSO) enables users to log in to any number of applications and websites using one set of credentials typically administered by their IT department. Activation and maintenance of this feature is now available for the Berkshire Client Portal through the Manage Security page.

Download BCP Metadata File and Encryption Certificate

The first step in adding Single Sign-On to your BCP account would be to set up the connection within your SSO Identity Provider. To assist in this process, we have provided you with the ability to download the BCP Metadata File from the top of the SSO Configuration section of the Manage Security page. The metadata file will then be uploaded into your SSO provider to populate the required information.

The Berkshire Client Portal also optionally supports encrypting assertions from your Identity Provider. The certificate required for encrypting assertions is included in the metadata file, but depending on your SSO provider, the encryption certificate may need to be uploaded separately. To accommodate providers that require this as a separate step, you can also download the Encryption Certificate separately from the top of the SSO Configuration section of the Manage Security page.



Upload Company Metadata File and Encryption Certificate

After setting up the connection with your SSO identity provider, your next steps will be to enable SSO for your BCP account and upload your company's Metadata information into BCP. The Enable Single Sign-On setting will be on the left side of the SSO Configuration page. Once the setting is turned on, the [UPLOAD METADATA] will activate. Selecting this action will open a window where your company's Metadata information can be uploaded.

Uploading your company's Metadata information, will populate the following SSO settings listed below and the Signing Certificate, if it was included in the file.

  • Entity Name/ID
  • SSO Login URL
  • SSO Logout URL (Optional)

If your company's Metadata information did not contain the Encryption Certificate, it can be uploaded separately through [UPLOAD CERTIFICATE] . Please note, a signing certificate is only required if you choose to sign the request from your identity provider.

If any information cannot be read from the metadata file, a message will appear indicating which fields could not be read. If a metadata file is not provided by your SSO Identity Provider, you can also enter this information manually.

After all required fields have been added, use the [SAVE] action to complete the set up.


Optional SSO Features

  • Sign Request: Indicates the Berkshire Client Portal should validate the signature of the SSO request. If enabled, you must upload a signing certificate from your SSO Identity Provider.
  • Sign Assertion: Indicates the SSO Identity Provider will encrypt the assertion. If enabled, you must ensure you have uploaded the certificate to your SSO Identity Provider. If enabled, you will have to periodically download a new certificate file (approximately annually) from the Berkshire Client Portal and upload to your SSO Identity Provider.
  • Require Single Sign-On: Enforcement of SSO when accessing the Berkshire Client Portal. If this option is activated, the ability to use a traditional username/password will be disabled. When disabled, a user can login with either user name and password or via SSO.
  • User Alternate SSO ID: User email is the default identifier for the Berkshire Client Portal SSO. If an alternate identifier is needed (e.g. your SSO Identity Provider does not use email address as the UID), it must be set per individual through the Manage Users page under the Admin section of the top right hand menu.