Marigold Engage supports single sign-on. A user needs to log on just once to have access to all modules of Engage. Users are defined within the Engage Admin Configuration and attributed permissions (through user groups). In this case the Engage login is used.
Marigold Engage also supports use of an IDP. This external identity provider manages users and groups. When IDP is configured for an environment, the login page contains an additional tab, 'Identity providers', in which you can select the IDP to be used. (In most cases there is just one IDP configured for a customer and this is then automatically selected).
When the user selects the IDP, they're automatically logged on to the Engage environment and have the permissions attributed to their group. (Permissions are configured in Admin Configuration. The permission sets are assigned to user groups.)
Note: In theory, it is possible to use multiple identity providers, or to use a combination of the Engage identity provider and an external identity provider. However, in practice, only one will be used, which means that this is transparent for the end-user. If several are used, the end-user needs to select one, and only one, identity provider he or she wishes to use to log in.
Two Factor Authentication
2-factor authentication can be activated on request for the customer environment. There are 2 ways in which identity verification can be done: SMS and email.
For email, the email address of the user is known (it is a mandatory field when creating a user) and the user will receive an email with authentication code.
For SMS, a user logging on for the first time will have to enter a phone number to receive an authentication code via SMS.
This phone number must contain the country prefix and have at least 10 digits. It will be stored in the profile of the user.
Click the Confirm button to receive the code on the mobile phone.
The user then needs to enter the code received by SMS or email:
On entering an incorrect code, an error message is shown : "Provided code is incorrect".
The user can retry to enter a code for a maximum of 3 times. After that, a redirect to the login page occurs.
The user can also resend the code up to 3 times. After that, a redirect to the login page occurs.
This code finalizes the login.
(Once the code is validated, the phone number is stored in the profile of the user.)
From the Users overview, the system administrator has a complete view on the users who are authenticated through Two Factor authentication.
If you go in the profile of an individual user, the same information is available:
Users for whom Two Factor authentication is not passed are listed as follows:
The system administrator can reset the authentication when required, for example if the user changed phone number or changed his password.
The authentication is valid for 30 days. Throughout that time, the user does not need to re-enter a code and can login as usual.
Two Factor Authentication has no impact on Single Sign On.
Note that in case of authentication issues for a specific user, 2FA can be deactivated per user. A ticket needs to be logged and a Marigold employee will make this change.
Notifications
The login screen also shows important notifications (for example when a new Marigold Engage release is available).
