Manage authentication

Sigma supports a variety of authentication methods, such as username and password authentication, or SAML or OAuth single sign-on methods. If you use password authentication, two-factor authentication is enabled by default. For more information, see Mandatory two-factor authentication for accounts.

User requirements

To manage authentication methods and options for your organization, you must be assigned the Admin account type.

Authentication methods

The following authentication methods are available to configure in Administration for all organizations:

For organizations without multiple identity providers (IdPs) enabled, the following options are available for configuration in Administration. If you have multiple IdPs enabled, you can configure any combination of the above options to achieve the same authentication setup.

🚧

If you change the authentication method from password to SSO or OAuth, user emails must match exactly for the user to maintain their account.

Manage authentication method and options

The steps to manage the authentication method and options for your organization differ depending on if your organization uses multiple identity providers.

💡

To check if your organization uses multiple IdPs: Go to Administration > Authentication. If you see an + Add authentication method option under Authentication Methods, your organization uses multiple IdPs.

If your organization doesn’t have multiple identity providers enabled:

1. Go to Administration > Authentication.
2. Under Authentication Method & Options, select Edit.
3. From the Authentication Method dropdown, select and configure your authentication method:
   • If you select SAML or SAML or password, see Single Sign On with SAML for further configuration steps.
   • If you select OAuth or OAuth or password, see Configure OAuth for further configuration steps.
4. [optional] To enable guest user accounts, turn on the toggle for Allow Guest Access. See Guest User Accounts.
5. [optional] To customize how frequently users are prompted to re-authenticate, set a Session Length in Hours. This setting only applies to users logging in with SAML or a password.
6. [optional] To ensure users are automatically logged out after a certain length of inactivity in the product, turn on the toggle for Enforce Inactivity Timeouts. See Set up inactivity timeouts.
7. [optional] To authorize anyone with an email from one or more domains to create an account in your organization without a personalized invite, specify one or more comma-separated email domains under Company Domain Signup. See Company domain signup.
8. After configuring authentication for your organization, click Save.

If your organization has multiple identity providers enabled:

1. Go to Administration > Authentication.
2. Under Authentication Methods, select Edit next to an existing authentication method, or select Add authentication method to create a new authentication method.
   • If you select SAML, see Single Sign On with SAML for further configuration steps.
   • If you select OAuth, see Configure OAuth for further configuration steps.
   • If you select Password, you can optionally configure Company domain signup. To authorize anyone with an email from one or more domains to create an account in your organization without a personalized invite, specify one or more comma-separated email domains. For more details, see Company domain signup.
3. [optional] To configure other options, under Authentication Options, select Edit.

• To enable guest user accounts, turn on the toggle for Allow Guest Access. See Guest User Accounts.
• To customize how frequently users are prompted to re-authenticate, set a Session Length in Hours. This setting only applies to users logging in with SAML or a password.
• To ensure users are automatically logged out after a certain length of inactivity in the product, turn on the toggle for Enforce Inactivity Timeouts. See Set up inactivity timeouts.

Company domain signup

When you use an authentication method that supports Password authentication, you can choose to add domains to an allowlist. By default, new users can only sign up when they receive an invitation. Adding your company's email domain lets anyone with a company email address create a Sigma account without a personalized invitation.

Sigma prompts new users to enter their email from a domain on the allowlist. After confirming their email, the user can create an account and register as a Sigma user.

Admin-initiated password reset

If you are assigned the Admin account type and your organization is using a password-based authentication method, you can send password reset emails to users in your organization:

1. In the Admin Portal, click the People tab.

2. On the Members tab, search or browse to locate the user. You can search by name or email address.

3. For the user, click More > Reset user password.

   Sigma sends a reset password email to the user. The email informs the user that the organization admin has requested that they reset their password.

Bulk password reset

If you are assigned the Admin account type and your organization is using a password-based authentication method, you can initiate a password reset for multiple users.

1. In the Admin Portal, click the People tab.

2. On the Members tab, for each user, select the checkbox to the left of their name.

3. In the toolbar, click Reset password.

4. Review your selection and click Confirm.

   The selected users receive an email informing them that the admin has requested that they reset their password.