OmniBots

Theme

MFA & SSO

This page covers two authentication features: Multi-Factor Authentication (MFA) for additional login security, and Single Sign-On (SSO) for federated identity management.

Multi-Factor Authentication

The MFA Management section (imported from the shared library) lets tenant admins manage MFA for all users in the tenant.

Enforcing MFA

To require MFA for all users:

  1. Navigate to Settings in the sidebar.
  2. Go to the Security tab.
  3. Enable Require MFA.
  4. Select the allowed MFA methods:
    • TOTP — time-based one-time passwords (authenticator apps like Google Authenticator or Authy)
    • Email — verification codes sent to the user's email
    • SMS — verification codes sent via text message

Users who have not enrolled in MFA will be prompted on their next login.

imageMFA method selection interface showing toggle switches for TOTP authenticator app, email verification code, and SMS verification code methods
MFA method selection

Single Sign-On

SSO allows users to authenticate through their organization's identity provider instead of using a password.

Supported Providers

ProviderProtocolKey Fields
GoogleOAuth 2.0 / OpenID ConnectClient ID, Client Secret, Hosted Domain
Azure ADOAuth 2.0 / OpenID ConnectClient ID, Client Secret, Azure Tenant ID, Domain Hint
ID.meOAuth 2.0Client ID, Client Secret

Adding an SSO Provider

  1. Navigate to Users & Security > SSO Configuration.
  2. Click to add a new provider.
  3. Select the Platform Provider (must be enabled by your platform admin first).
  4. Fill in the required fields:
    • Name — display name for this provider
    • Client ID — from your identity provider's app registration
    • Client Secret — from your identity provider's app registration
  5. Configure optional settings:
    • Scopes — OAuth scopes to request
    • Auto-create Users — automatically provision users on first SSO login
    • Default Role — role assigned to auto-created users
    • Allowed Domains — restrict SSO to specific email domains (comma-separated)
    • Force SSO — require all users to authenticate via this provider

Provider-Specific Settings

Azure AD:

  • Azure Tenant ID — your Azure AD tenant identifier
  • Domain Hint — pre-selects the identity provider on the Microsoft login page

Google:

  • Hosted Domain — restricts login to a specific Google Workspace domain
  1. Configure Attribute Mapping to map identity provider claims to OmniBots user fields.
  2. Configure Role Mapping to automatically assign roles based on identity provider groups.
  3. Click Save.
imageSSO provider configuration form showing provider type selector, client ID and client secret fields, Azure AD tenant ID field, auto-create users toggle, default role dropdown, and allowed domains input
SSO provider configuration

Setting a Primary Provider

Mark one SSO provider as Primary to show it prominently on the login page. Users see the primary provider's login button above the username/password form.

Enabling / Disabling a Provider

Toggle the provider's enabled status without deleting the configuration. Disabled providers are not shown on the login page.

Deleting a Provider

Before deleting, the confirmation dialog shows how many users are currently authenticating via this provider. Those users will need to log in with a password or another SSO provider after deletion.

WARNING

If you delete an SSO provider that users depend on and those users do not have a password set, they will be locked out. Reset their passwords first.

OmniBots AI Bot Platform

Copyright 2026 OmniBots. All rights reserved.