< back

Admin > Manage Security

The Berkshire Client Portal has been enhanced to now include Multi-factor Authentication (MFA) and Single Sign-On. ~~With~~Administrators ~~the~~can ~~appropriate system profile,~~activate these features ~~can be activated in~~on the Manage Security page. The ~~new~~Manage Security page can be ~~accessed~~found ~~through~~under the Admin section of the drop-down menu ~~which is located~~ in the top right of ~~all~~every BCP page.

Multi-factor Authentication (MFA)

Multi-factor Authentication (MFA) is ana secondary authentication method in addition to username and password that requires ~~multiple~~a ~~verification~~user ~~factors~~to also enter a Time-Based One-Time Password (TOTP) to gain access. Activation of this option, for your account, is available through the Manage Security page.

To activate this feature, select the  Require MFA for all users  checkbox and then click the [Save] action on the right. All users, at their next log in, will then be instructed to scan to the displayed QR code using Google Authenticator, Microsoft Authenticator, Authy or other similar applications.

Once the code is scanned, the application will create a random six digit code that will be used every time you login to the Berkshire Client Portal. This code will refresh every 30 seconds to ensure it is unique every time they login.

In the event a user loses, or misplaces their code, the Administrator must go to the Manage Users screen

Single Sign-On

The Berkshire Client Portal supports Single Sign-On via any Identity Provider that supports SAML 2.0. Single Sign-On (SSO) enables users to log in to ~~multiple~~any number of applications and websites ~~with~~using one set of ~~credentials.~~credentials typically administered by their IT department. Activation and maintenance of this feature is now available for the Berkshire Client Portal through the Manage Security page.

Download BCP Metadata File and Encryption Certificate

The first step in adding Single Sign-On for your BCP account would be to set up the connection within your SSO ~~provider.~~Identity Provider. To assist in this process, we have provided you with the ability to download the BCP Metadata ~~File.~~File ~~This~~from the top of the SSO Configuration section of the Manage Security page. The metadata file will then be uploaded into your SSO provider to populate the required ~~information~~information.

The ~~and~~Berkshire ~~needed~~Client ~~certificate.~~Portal ~~Depending~~also optionally supports encrypting assertions from your Identity Provider. The certificate required for encrypting assertions is included in the metadata file, but depending on your SSO provider, the encryption certificate may need to be uploaded separately. To ~~accommodate,~~accommodate weproviders ~~are~~that require this as a separate step, you can also ~~providing the ability to~~ download the ~~BCP~~ Encryption ~~Certificate.~~Certificate separately from the top of the SSO Configuration section of the Manage Security page.

Upload Company Metadata File and Encryption Certificate

After setting up the connection with your SSO identity provider, your next steps will be to enable SSO for your BCP account and upload your company's Metadata information into BCP. The  Enable Single Sign-On  setting will be on the left side of the SSO Configuration page. Once the setting is turned on, the  [UPLOAD METADATA]  will activate. Selecting this action will open a window where your company's Metadata information can be uploaded.

Uploading your company's Metadata information, will populate the following SSO settings listed below and the ~~Encryption~~Signing Certificate, if it was included in the file.

Entity Name/ID

SSO Login URL

SSO Logout URL (Optional)

If your company's Metadata information did not contain the Encryption Certificate, it can be uploaded separately through  [UPLOAD CERTIFICATE] . Please . note, a signing certificate is only required if you choose to sign the request from your identity provider.

If any information cannot be read from the metadata file, a message will appear indicating which fields could not be read. If a metadata file is not provided by your SSO Identity Provider, you can also enter this information manually.

After all required fields have been added, use the  [SAVE]  action to complete the set up.

Optional SSO Features

Sign Request: ~~Validation~~Indicates ofthe Berkshire Client Portal should validate the signature of ~~signed~~the ~~authentication~~SSO ~~requests.~~request. If enabled, you must upload a signing certificate from your SSO Identity Provider.

Sign Assertion: ~~Confirmation of~~Indicates the ~~requesting~~SSO Identity Provider will encrypt the assertion. If enabled, you must ensure you have uploaded the certificate to your SSO ~~user.~~Identity Provider. If enabled, you will have to periodically download a new certificate file (approximately annually) from the Berkshire Client Portal and upload to your SSO Identity Provider.

Require Single Sign-On: Enforcement of SSO when accessing the Berkshire Client Portal. If this option is ~~activate,~~activated, the ability to use a traditional username/password will be disabled. When disabled, a user can login with either user name and password or via SSO.

User Alternate SSO ID: User email is the default identifier for the Berkshire Client Portal SSO. If an alternate identifier is ~~needed,~~needed (e.g. your SSO Identity Provider does not use email address as the UID), it must be set per individual through the Manage ~~User~~Users ~~page.~~page under the Admin section of the top right hand menu.

Admin > Manage Security

Multi-factor Authentication (MFA)

Single Sign-On

Download BCP Metadata File and Encryption Certificate

Upload Company Metadata File and Encryption Certificate

Optional SSO Features

Powered by Roadkill Wiki (2.0.275).