This article provides a detailed summary of the process and implications of disabling local authentication (email-based login) in Observe. This change restricts user access to Single Sign-On (SSO) only, removing local authentication options and affecting various aspects of platform functionality and troubleshooting.
Disabling Local Authentication
Please reach out to your account team or contact Product Support via our Support Portal to disable local authentication. This setting can be referred to as allow_email_login, which can be set to false (the default value is true).
Disabling local authentication has the following effects:
-
Removal of Local Sign-In Form: Users will no longer see a
Sign in with emailoption when logging in, they will only be presented with the SSO login option. -
Persistent
LocalSource Label: Unfortunately, disabling local authentication does not remove the “Local” designation from the “Source” column in the user lister page (e.g., where user sources like “Local” or “SAML” are displayed). This label will remain visible for users previously associated with local authentication.
Impacts of Disabling
-
While disabling local authentication enhances security and enforces the use of Single Sign-On (SSO), it introduces a key consideration for troubleshooting. If Observe needs access to your instance to resolve issues, Observe staff would need to be added as users within your SAML identity provider to facilitate troubleshooting.
-
If the Identity Provider (IdP) becomes unavailable or a certificate expires, users will be unable to log in via SSO, as there will be no fallback local authentication option. This could result in temporary access disruptions for all users. To mitigate this risk, ensure your IdP is highly available, regularly monitor certificate expiration dates. We would recommend that our partners verify their IdP’s uptime guarantees and certificate management processes with your provider.