Skip to main content
Skip table of contents

Step 2: Choosing the Account Authentication Policy

Once the chosen IdP is set up, the Primary Account Owner (PAO) can then define the Authentication Policy for each user, including themself, which dictates the permissible login methods for both the PAO and all associated sub-users.

This selection is the central control mechanism for managing access and enforcing security requirements.

Flexible Authentication Policies 

The system offers flexibility, recognizing that you may need a phased rollout or wish to retain the legacy password option as a temporary fallback or backup.  The PAO may designate different policies for each user, including themself, however each must use the same IdP that is enabled for the account. 

For example, if you have chosen Google SSO as your IdP, all users will need to use Google.

This design ensures operational flexibility and a smooth transition and provides an administrative "back out" mechanism should the SSO integration require adjustment later.

Policy Setting

Allowed Login Methods

Security / Management Implication

Recommended Use Case

Require SSO

Single Sign-On only. 

Username/Password login is disabled.

Highest Security.

When a user is removed from your organization’s IdP directory, their access to 101domain is prevented upon their next login attempt.

The sub-user account should then be removed from the account by the PAO.

If a user is removed from your IdP during a current user session, authentication is checked at regular intervals during a session and a user will be logged out at the first re-authentication attempt.

Recommended organization-wide setting for strict compliance and immediate deactivation of offboarded employees.

Username / Password Only (Standard)

Legacy 101domain username/password only. 

SSO is disabled.

Standard security.

This is your account state when there is no IdP configured.  

2FA is recommended in this case.

Access termination is handled manually by the PAO by removing the sub-user within the 101domain Control Panel.

Accounts intended for shared use, or those using distributed email addresses (e.g., billing@) that are not tied to a unique corporate identity.

SSO Enabled

But 

Require SSO = Off

Both Single Sign-On and Username/Password login are allowed concurrently.

Maximum Flexibility. 

This is your account state when an IdP is initially set up but the Require SSO setting is not enabled.  

Allows users to choose their preferred method. Access termination must be managed manually (either by deleting the user or changing the policy to "SSO Only" and allowing your IdP directory to dictate access).

Initial rollout, testing phases, or transitional periods.

Once you have completed the configuration and selected the preferred IdP, you can further strengthen your security by following on to Step 3: Enforcing SSO Only Authentication.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close