Topic
This article answers frequently asked questions about security assertion markup language (SAML) and single sign-on (SSO).
Environment
NinjaOne sign-on security
Questions
- Why am I still receiving Native MFA prompts when performing administrative tasks in NinjaOne with MFA bypass enabled?
- When setting up SSO, we do not see the option for "Microsoft login with MFA." Is this expected behavior?
- Are multi-tenant SAML/SSO integrations supported?
- Does MFA still need to be configured if SAML/SSO is enabled and configured for an account?
- Do NinjaOne users need to be created in NinjaOne first in order to use SAML, even when SSO/SAML is configured with an IdP?
- What SAML workflows are currently supported by NinjaOne's SAML integration?
- Which IDP marketplaces is NinjaOne available for a more straightforward SAML configuration?
- Can SAML be used with the NinjaOne mobile app?
- Can technicians log into branded NinjaOne sites with SSO?
- If technicians use SSO as their authentication method, can they reset their NinjaOne password?
- Additional Resources
Why am I still receiving Native MFA prompts when performing administrative tasks in NinjaOne with MFA bypass enabled?
MFA bypass will remove the Native MFA prompt requirement during the login process as long as NinjaOne sees a successful MFA prompt from the identity provider. However, you must still use native MFA to authenticate high-risk and high-impact administrative actions within the NinjaOne console.
When setting up SSO, we do not see the option for "Microsoft login with MFA." Is this expected behavior?
When configuring SSO, you must enable the conditional NinjaOne MFA bypass. The bypass only works for technicians and not end users. End users must use SCIM.
Are multi-tenant SAML/SSO integrations supported?
Yes.
Does MFA still need to be configured if SAML/SSO is enabled and configured for an account?
For security purposes, we require MFA with SSO accounts for high-risk transactions and initial sign-in. The first sign-in with MFA sets your session cookie.
Do NinjaOne users need to be created in NinjaOne first in order to use SAML, even when SSO/SAML is configured with an IdP?
Yes, you must create the users in NinjaOne and then enable SSO for each account.
What SAML workflows are currently supported by NinjaOne's SAML integration?
There are two main SAML workflows: Service Provider (SP) initiated workflow (you navigate to NinjaOne to log in, and you are forwarded to the identity provider) and Identity Provider (IDP) initiated workflow (you navigate to your identity provider to log in, and you are sent to NinjaOne to log in). Currently, NinjaOne's SAML only supports Service Provider (SP) initiated workflow.
Which IDP marketplaces is NinjaOne available for a more straightforward SAML configuration?
Currently, NinjaOne is available in the Azure IDP marketplace.
Which vendors do you currently support for SAML?
You can use any IDP that supports SAML 2.0. However, we have only tested and verified Azure, OneLogin, and Okta.
Can SAML be used with the NinjaOne mobile app?
Yes, you may use SAML with the NinjaOne mobile app.
Can technicians log into branded NinjaOne sites with SSO?
Yes, technicians using SSO authentication can sign into a branded NinjaOne site. No additional SAML configuration is required.
If technicians use SSO as their authentication method, can they reset their NinjaOne password?
No. Once you set the authentication method for a technician to SSO, they will no longer have the option to reset their NinjaOne password.
Additional Resources
Refer to the following resources to learn more about login security in NinjaOne: Identity Authentication and Management: Resource Catalog