Browser Access
Configuring the web portal access settings
Overview
Enforce robust security measures and maintain control over access to sensitive resources within the domain by configuring web portal access settings. With configurations like IP range restrictions, admins can ensure that only authorized users from specified locations can access critical services, reducing the risk of unauthorized access or data breaches. Additionally, implementing Two Factor Authentication (2FA) and session timeout settings adds layers of security, requiring additional verification beyond passwords and automatically logging out inactive sessions to minimize security vulnerabilities. These controls not only protect against external threats but also help enforce compliance with security policies and regulatory requirements, ultimately safeguarding the integrity and confidentiality of the domain's data and resources.
Basic Configuration
To help protect your domain's data from unauthorized access, network admins can specify a list of IP addresses from which users can log in.
IP Range: Enter the start IP address and the end IP address to limit users from accessing the web portal to only the specified IP ranges. You can optionally add groups synced from the AD/LDAP providers in the AD Group text box. Add a name for the specified IP range for quick identification and categorization.
Add a new IP range: Click the Add a new IP range link to add multiple IP range addresses for web portal access to your domain.
The configured IP range can be applied for Desktop & Mobile Access' settings from their respective tabs.
Users outside of the specified login IP ranges CANNOT access the web portal.
Two Factor Authentication (2FA) Settings
As a security measure, network admins can mandate Two Factor Authentication (2FA) for the domain. With 2FA, all users MUST use an additional security code to login to their accounts along with their account password. By default, the two factor authentication (2FA) is disabled for the domain.
There are three different ways to retrieve authentication codes for your users during login:
2FA token via Email: The secure authentication code is sent to a user's primary email ID setup in the user's profile.
2FA token via Authenticator app: Users MUST download an authenticator app to their mobile device. The users will then be able to scan QR codes and retrieve authentication data for themselves.
2FA token via Duo app: Users MUST download the Duo Mobile app to their mobile device. The users will then be able to scan QR codes and retrieve authentication data for themselves.
The two factor authentication is applied to all existing and new users (network users and guest users).
When logging in via Google Apps the 2FA settings are NOT applicable. For SSO connections using SAML see the setting 'Skip 2FA when user logs in via an SSO connection' value.
Login Token via Email
Enable two factor authentication (2FA): Select the 'Yes - Login token via Email' option to send a 5-digit unique login token to a user's primary email ID which they MUST enter after logging into the MangoApps domain via the web, desktop, and MAC platforms.
Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.
After the selected time period if the user wants to re-login then they would be required to provide a new token for security reasons.
Login token valid for: Select the time period for which the login token received by the user over email would remain valid. The login token is always sent over the user's primary email. The possible values for the token validity period are - 1 min, 5 mins , 10 mins, 15 mins, 30 mins, or 1 hr.
Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.
A user MUST have access to their primary email ID provided in their user profile to receive the login token and gain access to the MangoApps domain.
Login token via Authenticator App
Enable two factor authentication (2FA): Select the 'Yes - Login token via Authenticator app' option to create a unique QR code for each user which they MUST scan using an authenticator app to generate a 6-digit authenticator code to be entered after logging into the MangoApps domain via the web, desktop, and MAC platforms.
Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.
After the selected time period if the user wants to re-login then they would be required to provide a new authenticator code for security reasons.
Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.
Save: Click the Save button to apply the 2FA configurations.
The QR code is displayed only once at the first time the 2FA settings are applied. Once a user scans the QR code, the QR code is not displayed to the user.
Recommended Authenticator Apps
Users need to download an authenticator app to their mobile device to scan QR codes and retrieve authentication data.
Here are some recommended authenticator apps, you can follow the links to download and install them:
Google Authenticator (Android/iPhone/BlackBerry)
DUO Mobile (Android/iPhone)
Authenticator (Google Chrome extension)
Authy (Android/iPhone)
Login Token via Duo App
Enable two factor authentication (2FA): Select the 'Yes - Login token via Duo app' option to create a unique QR code for each user. Users MUST scan using the DUO Mobile app to generate a 6-digit authenticator code to be entered after logging into the MangoApps domain via the web, desktop, or MAC platforms.
Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.
After the selected time period if the user wants to re-login then they would be required to provide a new authenticator code for security reasons.
Integration Key: Enter the integration key received from the application you protected in your DUO account.
Secret Key: Enter the secret key received from the application you protected in your DUO account.
API hostname: Enter the API hostname received from the application you protected in your DUO account.
Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.
Skip 2FA when user logs in via an SSO connection:
The QR code is displayed only once at the first time the 2FA settings are applied. Once a user scans the QR code, the QR code is not displayed to the user.
Session Timeout Settings
Users in confidential environments may need shorter session timeout periods to improve security. With a session timeout period set, your domain will automatically log users out if they are inactive for a set period of time. If users leave their machine and forget to log off, their computers cannot be logged into without their password.
Timeout user's session after: Select the timeout period of inactivity to automatically terminate a user's current session. The possible values are - Never (never terminate a session), 10 mins, 30 mins, 1 hour, 4 hours, 8 hours, or 12 hours.
Advanced Login Settings
The Advanced Login Settings apply only for the Admin Portal to provide additional domain administration security and does NOT apply to network and guest users. Network admins can configure a PIN (shared by all network admins) which all admins will need to enter to access the Admin Portal. When network admins log into the Admin Portal they will need to enter the PIN before they can proceed.
The URL to access the admin portal: The URL for network admins to access your domain's Admin Portal.
Enable setup PIN: Mark the checkbox to setup a PIN for all admins which they will need to enter to access the Admin Portal.
PIN: Enter the preferred alphanumeric pin shared by all network admins. 15 character limit.
Password Auto-Complete Settings
Network admins can restrict browsers from remembering or storing MangoApps account passwords for auto-complete.
Disable storing of password by the browser: Mark the checkbox to restrict browsers from storing MangoApps account passwords.
Mozilla Firefox and Safari browsers may not adhere to this setting if the user has explicitly asked the browser to save a password.
FAQs
Can users reset the QR code?
Yes, in the case a user loses access to the mobile device they used at the time of two factor authentication (2FA) activation, network admins can reset the QR code for the login associated with the user via Admin Portal > Users > Manage Users > User Tools > Reset QR Code. See Reset QR Code for more information.
Last updated