Authentication

Clumio has two options, Single Sign On (SSO) and Multi-Factor Authentication (MFA) for an additional layer of security to augment the username and password.

Single sign-on (SSO)

Activate single sign-on (SSO) to enable all Clumio users to log in to Clumio using one set of credentials. Single sign-on can be either service provider (SP) initiated, or identity provider (IdP) initiated. Clumio acts as a service provider (SP) that establishes a trust relationship with your Security Assertion Markup Language Identity Provider (SAML IdP) to authenticate administrators and other users of Clumio.

Service provider initiated SSO

With service provider initiated (SP-initiated) SSO, users log in to applications directly using their corporate credentials. Users are redirected to the IdP login page (if they are not already logged into the IdP), then they are logged in to the application.

Clumio supports SP-initiated SSO. As an administrator, Clumio SSO lets you do the following:

Manage access for users from a centralized identity provider portal.
Use your corporate credentials to securely log into the Clumio UI.
Enforce corporate password policies within your identity provider portal without having to administer them separately for Clumio.

Identity provider initiated SSO

With identity provider initiated (IdP-Initiated) SSO, users log in to their IdP’s SSO page and select the application to access it. Clumio supports SSO through SAML2.0 protocol, so any Identity Provider that has been implemented per the SAML2.0 specification can be onboarded with Clumio*. Refer to articles in this section for instructions on how to configure SSO or MFA with different Identity Providers.

* Limitations may apply.

To set up SSO within Clumio, complete the information in the Authentication section, and upload the SAML metadata file, if available, from your IdP application. Clumio generates a service provider metadata file, which you add to your IdP application. This process allows the two applications to exchange information.

Configure Single Sign On (SSO)

To configure Clumio as a service provider application in your SAML IdP, proceed as follows.

Go to Administration > Access Management > Authentication and select Single Sign-on.
Complete the following fields in the Identity Provider (IdP) Details section:

Name: Select the name of your IdP, or if the IdP is not listed, choose Other and enter the name in the text field.
Metadata File: Choose one of the following three options:
- Metadata URL: provide a public URL from where Clumio can download the XML file with the metadata. This file is accessed each time there is an SS handshake between Clumio and the IdP, if the file URl is not accessible, the login fails.
- Metadata file upload: Upload the SAML metadata file from your IdP..
- Manually configuration: You must provide the following information from your IdP:
  - Single sign on issuer—this is the identity provider's unique entity ID
  - SSO URL—the URL to which a user is redirected when they sign in to
    Clumio
  - Public key certificate—this is the IdP's X.509 certificate
Attribute Type: Enter the email that you used during the Clumio registration.

Click Test with my account to test the SSO configuration using the email ID provided. The test is based on the values entered in the IdP Details section. If there are any issues, an error message appears.
Click the Activate SSO toggle to enable (blue) or disable (gray) SSO.

If SSO is enabled for an organization, Clumio sends a confirmation email to the users in the System. If SSO is disabled, Clumio sends a notification email, and users need to reset their password to access their Clumio account. This only applies if a user is invited after SSO is enabled. If a user existed in Clumio before SSO is enabled, then their old password will continue to work.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) may be useful if you are not working in an SSO environment.

Deploying the optional MFA feature, you can configure a time-based one-time password (TOTP) using the provider of your choice that generates a code for Clumio user authentication. When MFA is enabled for all users, Clumio prompts each user to enter the additional code after signing in with their username and password. The QR code does not expire.

You can only activate MFA using a smartphone with an MFA application. Clumio only supports authentication applications that are in compliance with protocol RFC 6238 that generate a TOTP algorithm. Examples include Google Authenticate, Okta Verify, and Microsoft Authenticator.

Before you can set up MFA for Clumio, make sure the MFA is installed on your device.

If you need to reset MFA on your device, reach out to Clumio Support at [email protected].

Activate multi-factor authentication login on your device

Verify that the multi-factor authentication (MFA) application is installed on your device.
Go to Administration > Access Management > Authentication, and select Multi-Factor Authentication (MFA).
Click Show QR Code, and scan the QR code with the MFA application on your smartphone. Enter the generated code. The code is automatically saved, and a “Setup Successful” confirmation message appears.
To activate MFA for all users, click the Activate MFA for all toggle to enable (blue) or disable (gray) MFA. A confirmation message appears.
Click Proceed. Then click Save Changes.

Log in with MFA

To log in with multi-factor authentication, proceed as follows.

Go to the Clumio login page and enter your email in the Registered Email Account field. Click Next.
Select the organization that you want to log into from the Select Organization dropdown.
Enter your password and click Login.
You are prompted to enter a six digit authentication code. Get the code from your authentication app on your smartphone. If you have not already authenticated with your app, use your app to scan the QR code shown on the login screen.
Enter the code and click Verify Code. You are now logged on to Clumio.