10. Authentication

MFA and SSO

CertKit supports two authentication methods: standard email/password with TOTP-based multi-factor authentication (MFA), and SAML 2.0 single sign-on (SSO).

SAML 2.0 Single Sign-On (SSO)

SSO configuration is managed at the account level by an administrator.

Configuration Steps

  1. Service Provider Metadata: Copy the ACS URL and Entity ID / Audience URI from CertKit and provide them to your Identity Provider (IdP).
  2. IdP Metadata: Upload your IdP’s SAML 2.0 metadata XML file to CertKit.
  3. Activation: Use the Enable SSO toggle to activate the integration.

Disabling the toggle pauses SSO logins without removing the configured metadata, allowing for maintenance windows or troubleshooting.

User Conversion

Users must be explicitly assigned to either the Email or SSO authentication method.

  • Security: Converting a user to SSO clears their local password and MFA enrollment. Authentication is then delegated entirely to your IdP.

Multi-Factor Authentication (TOTP)

MFA utilizes the Time-based One-Time Password (TOTP) algorithm and is compatible with standard authenticator applications (e.g., Google Authenticator, 1Password).

  • Enrollment: Users enroll individually by scanning a QR code from their profile page.
  • Recovery: If a user loses their authenticator device, an account administrator can disable MFA for that user via the user detail page.