# Configure Authentication Settings The **Authentication** tab under **Settings** lets administrators set the organization's: - Web session timeout - MFA (multi-factor authentication) alt ## Set web session timeout Here, admins configure a session timeout for a single login to the Fordefi Web console - for all users in the organization. When the timeout has lapsed since the start of the session, the user is automatically logged off. When a user belongs to more than one organization, the shortest timeout session defined for that user, across all organizations, is effective. - The web console **inactivity timeout** is fixed at 24 hours. This means that even if you set the **session timeout** to be longer than 24 hours, then, for added security, the user will still be logged out if they are inactive for 24 hours. - The web console timeout setting has no affect on the length of mobile sessions. Here's how you set the web console timeout: 1. In the web console, click **Settings** > **Authentication**. 2. In the screen that is displayed, click **Edit** in the upper-right. 3. In the field and list that open, specify the desired number of hours and minutes. 4. Click **Save**. ## Activate MFA MFA is optional for an organization and is activated globally by an administrator for all users in the organization. When activated, users must set up MFA for their account on their next login. As part of the activation, admins can choose whether to enable the option “remember this device for 30 days” for users. If not enabled, MFA is required on every login. To activate MFA: 1. In the web console, click **Settings** > **Authentication**. 2. Click **Turn on MFA**. Confirm the activation in the notification that is displayed. 3. If you so choose, toggle on **Remember this device for 30 days**. - The currently supported MFA method is TOTP (available through apps such as Google Authenticator or Yubico Authenticator) - For security reasons, once MFA is turned on for an organization, it cannot be turned off. To reset MFA, contact Fordefi support. ## Activate Okta (OIDC) SSO You can add Fordefi to the applications in your organization that require authentication and authorization under Okta SSO using the OIDC (OpenID Connect) protocol. Once integration is complete, users seeking to log in to Fordefi will be signed in through Okta instead. The integration is applied across **all workspaces** in your Fordefi organization and there is **no expected downtime** during the transition. ### Before you begin > **Important:** Once Okta SSO is enabled, every user whose email matches your configured Okta domain(s) (e.g. `acme.com`) will **no longer be able to sign in with a username and password**. They will only be able to authenticate via Okta or another configured SSO method (such as Google SSO). Before requesting the cutover, make sure that **every Fordefi user on those domains has an active Okta account tied to the same email address** they use for Fordefi. This prevents anyone from being locked out after the switch. ### Okta application settings When configuring your Okta application, use the following values: - **Redirect URI (Sign-in redirect URI):** ``` https://auth.fordefi.com/login/callback ``` - **Logout redirect URI:** Not required - Fordefi does not trigger a logout redirect on Okta, so you can leave this field empty. - **Login URL** (if needed for your configuration): ``` app.fordefi.com ``` ### How to enable Reach out to Fordefi Customer Service at **support@fordefi.com** with the following information: 1. The **`client_id`** of your Okta application. 2. The **`client_secret`** of your Okta application, please share it securely using [1Password item sharing](https://support.1password.com/share-items/?mac) or an equivalent secure channel. 3. Your **Okta domain**, in the format `my-domain.okta.com`. 4. The **email domain(s)** that should be redirected to Okta authentication (e.g. `acme.com`). Once Fordefi receives and configures these details, SSO will be enabled for your organization — no further action is required on your side. If your Fordefi workspace has MFA activated, be aware that once Okta SSO is enabled, **all workspace users will need to create a new MFA record**. Fordefi treats Okta as a new login method, so existing MFA registrations do not carry over.