Browser Access

Configuring the web portal access settings

Overview

Network admins can configure the web portal access settings from here

Basic Configuration

To help protect your domain's data from unauthorized access, network admins can specify a list of IP addresses from which users can log in.

Admin Portal > Security > Browser Access > Basic Configuration
  1. IP Range: Enter the start IP address and the end IP address to limit users from accessing the web portal only from the specified IP range. You can optionally add groups synced from the AD/LDAP providers in the AD Group text box. You can add a name for the specified IP range for quick identification and categorization.

  2. Add a new IP range: Click the Add a new IP range link to add multiple IP range addresses for web portal access to your domain.

  3. Save: Click the Save button to apply the basic configurations for browser access.

The configured IP range can be applied for 'Desktop Access' and 'Mobile Access' settings.

Users outside of the specified login IP ranges CANNOT access the web portal.

Configuring Two Factor Authentication (2FA) Settings

As a security measure, network admins can mandate Two Factor Authentication (2FA) for the domain. With 2FA, all users MUST use an additional security code to login to their accounts along wit their account password.

There are three different ways to retrieve authentication codes for your users during login. You can either:

  • 2FA token via Email: The secure authentication code is sent to a user's primary email ID setup in the user's profile.

  • 2FA token via Authenticator app: Users MUST download an authenticator app to their mobile device. The users will then be able to scan QR codes and retrieve authentication data for themselves.

  • 2FA token via Duo app: Users MUST download the Duo Mobile app to their mobile device. The users will then be able to scan QR codes and retrieve authentication data for themselves.

The two factor authentication is applied to all existing and new users (network users and guest users).

When logging in via Google Apps the 2FA settings are NOT applicable. For SSO connections using SAML see the setting 'Skip 2FA when user logs in via an SSO connection' value.

By default, the two factor authentication (2FA) is disabled for the domain.

Admin Portal > Security > Browser Access > Two Factor Authentication Settings

Login Token via Email

Admin Portal > Security > Browser Access > Two Factor Authentication Settings
  1. Enable two factor authentication (2FA): Select the 'Yes - Login token via Email' option to send a 5-digit unique login token to a user's primary email ID which they MUST enter after logging into the MangoApps domain via the web, desktop, and MAC platforms.

  2. Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.

    After the selected time period if the user wants to re-login then they would be required to provide a new token for security reasons.

  3. Login token valid for: Select the time period for which the login token received by the user over email would remain valid. The login token is always sent over the user's primary email. The possible values for the token validity period are - 1 min, 5 mins , 10 mins, 15 mins, 30 mins, or 1 hr.

  4. Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.

  5. Save: Click the Save button to apply the 2FA configurations.

A user MUST have access to their primary email ID provided in their user profile to receive the login token and gain access to the MangoApps domain.

Login token email preview

Login token via Authenticator App

Admin Portal > Security > Browser Access > Two Factor Authentication Settings
  1. Enable two factor authentication (2FA): Select the 'Yes - Login token via Authenticator app' option to create a unique QR code for each user which they MUST scan using an authenticator app to generate a 6-digit authenticator code to be entered after logging into the MangoApps domain via the web, desktop, and MAC platforms.

  2. Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.

    After the selected time period if the user wants to re-login then they would be required to provide a new authenticator code for security reasons.

  3. Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.

  4. Save: Click the Save button to apply the 2FA configurations.

The QR code is displayed only once at the first time the 2FA settings are applied. Once a user scans the QR code, the QR code is not displayed to the user.

2FA authentication via Authenticator app preview

Recommended Authenticator Apps

Users need to download an authenticator app to their mobile device to scan QR codes and retrieve authentication data.

Here are some recommended authenticator apps, you can follow the links to download and install them:

Login Token via Duo App

Admin Portal > Security > Browser Access > Two Factor Authentication Settings
  1. Enable two factor authentication (2FA): Select the 'Yes - Login token via Duo app' option to create a unique QR code for each user which they MUST scan using the DUO Mobile app to generate a 6-digit authenticator code to be entered after logging into the MangoApps domain via the web, desktop, and MAC platforms.

  2. Authentication valid for: Select the time period for which the user’s authenticated session would remain valid. The possible values for the authentication validity period are - Always prompt (prompt the user for login token every time the user tries to log in), 15 mins, 30 mins, 1 hr, 1 day, 1 week, or 1 month.

    After the selected time period if the user wants to re-login then they would be required to provide a new authenticator code for security reasons.

  3. Integration Key: Enter the integration key received from the application you protected in your DUO account.

  4. Secret Key: Enter the secret key received from the application you protected in your DUO account.

  5. API hostname: Enter the API hostname received from the application you protected in your DUO account.

  6. Skip 2FA when user logs in via an SSO connection: Mark the checkbox to not use the 2FA authentication if a user has logged in via any SSO connection.

    Skip 2FA when user logs in via an SSO connection:

  7. Save: Click the Save button to apply the 2FA configurations.

The QR code is displayed only once at the first time the 2FA settings are applied. Once a user scans the QR code, the QR code is not displayed to the user.

Configuring the Session Timeout Settings

Users in confidential environments may need shorter session timeout periods to improve security. With a session timeout period set, your domain will automatically log users out if they are inactive for a set period of time. If users leave their machine and forget to log off, their computers cannot be logged into without their password.

Admin Portal > Security > Browser Access > Session Timeout Setting
  1. Timeout user's session after: Select the timeout period of inactivity to automatically terminate a user's current session. The possible values are - Never (never terminate a session), 10 mins, 30 mins, 1 hour, 4 hours, 8 hours, or 12 hours.

  2. Save: Click the Save button to apply the session timeout configurations.

Configuring the Advanced Login Settings

The Advanced Login Settings apply only for the Admin Portal to provide additional domain administration security and does NOT apply to network and guest users. Network admins can configure a PIN (shared by all network admins) which all admins will need to enter to access the Admin Portal. When network admins log into the Admin Portal they will need to enter the PIN before they can proceed.

Admin Portal > Security > Browser Access > Advanced Login Settings
  1. The URL to access teh admin portal: The URL for network admins to access your domain's Admin Portal.

  2. Enable setup PIN: Mark the checkbox to setup a PIN for all admins which they will need to enter to access the Admin Portal.

  3. PIN: Enter the preferred alphanumeric pin shared by all network admins.

  4. Save: Click the Save button to apply the advanced login settings.

Configuring the Password Auto-Complete Settings

Network admins can restrict browsers from remembering or storing MangoApps account passwords for auto-complete.

Admin Portal > Security > Browser Access > Password Auto-Complete Settings
  1. Disable storing of password by the browser: Mark the checkbox to restrict browsers from storing MangoApps account passwords.

  2. Save: Click the Save button to apply the password auto-complete settings.

Mozilla Firefox browser may not honor this setting if the user has explicitly asked the browser to save a password.

Latest Safari browser (5.1.7) on windows may completely dishonor this setting.

FAQs

Can users reset the QR code?

Yes, in case a user loses access to the mobile device they used at the time of two factor authentication (2FA) activation, network admins can reset the QR code for the login associated with the user via Admin Portal > Users > Manage Users > User Tools > Reset QR Code. See Reset QR Code for more information.

Did this article help? Your feedback adds value when we shape up the help articles. Hit the smileybelow to let us know!