> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/cloud/web-interface/administration/configuration-and-security/access-and-authentication.md).

# Access and authentication

The ***Access & authentication*** section allows you to configure how your users will log into Devolutions Cloud.

{% hint style="info" %}
For complete instructions on how to configure single sign-on (SSO) with Devolutions Cloud, see [Get started with SSO in Devolutions Cloud](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/).
{% endhint %}

### General & Authentication modes

In the ***General*** section, you can enable login settings for your users.

<table><thead><tr><th width="230.5999755859375">Option</th><th>Description</th></tr></thead><tbody><tr><td><strong>Force prompt login</strong></td><td>Enforces a login prompt for all users. If users have set up their multifactor authentication in their Devolutions Account, this will only prompt multifactor authentication.</td></tr><tr><td><strong>Enforce multifactor authentication on Devolutions Account</strong></td><td>Enforces all users to set a multifactor authentication on their Devolutions Account.</td></tr><tr><td><strong>Enforce number matching push notifications via Devolutions Password Manager</strong></td><td>Enables 2FA number matching for all users of this Devolutions Cloud instance with our Devolutions Password Manager.</td></tr><tr><td><strong>Single sign-on (SSO)</strong></td><td>Allow users to sign in using a configured identity provider (SSO).</td></tr><tr><td><strong>Devolutions Account</strong></td><td>Allow users to sign into Devolutions Cloud with their Devolutions Account.</td></tr><tr><td><strong>Contractor</strong></td><td>Allow authentication with a contractor user, i.e., a temporary user with limited access rights and UI options.</td></tr><tr><td><strong>Inactivity logout time</strong></td><td>Disconnects users after a set inactivity time value, ranging from 5 minutes to 4 hours (unless Off). The delay is only active when the page is open.</td></tr></tbody></table>

{% hint style="info" %}
The ***Enforce multifactor authentication on Devolutions Account*** and ***Enforce number matching push notifications via Devolutions Password Manager*** settings do not apply to users that log in with single sign-on (SSO).
{% endhint %}

### Domain

{% hint style="info" %}
For the full domain verification and SSO setup instructions, visit [Get started with SSO in Devolutions Cloud](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/).
{% endhint %}

Verify your domain(s) for single sign-on. Multiple domains can be verified in a single SSO configuration. It is mandatory as it allows us to verify the ownership of the domain(s) supplied.

![](https://cdnweb.devolutions.net/docs/HUBB2010_2024_1.png)

In a separate window, log in to your domain host and find your DNS records. Create and save a new `.txt` record using the information provided below.

![](https://cdnweb.devolutions.net/docs/HUBB2011_2024_1.png)

You know that your domain has been successfully verified when its status changes from ***Pending*** to ***Verified***, as indicated with an icon of a checkmark within a green circle, as seen below.

![](https://cdnweb.devolutions.net/docs/HUBB2012_2024_1.png)

### Single Sign-On (SSO)

{% hint style="info" %}
For the full SSO setup instructions, visit [Get started with SSO in Devolutions Cloud](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/).
{% endhint %}

You have access to the ***Single Sign-On (SSO)*** section to configure SSO for your Devolutions Cloud users. Start by selecting the identity manager of your choice between Microsoft and Okta.

You then have to enter some information as seen below.

By default, SSO will be enabled once you complete its configuration. You can also ***Force SSO on all users***.

{% hint style="danger" %}
If you enable ***Force SSO on all users*** , users will not have access to Devolutions Cloud in case of misconfiguration or downtime of your SSO provider. We strongly recommend that you inform all existing users in your Devolutions Cloud of this new authentication method prior to activating it. Alternatively, see [Disable Force SSO on all users in Devolutions Cloud using PowerShell](https://docs.devolutions.net/powershell/devolutions-cloud-powershell/disable-force-sso-on-all-users/) to temporarily disable the feature.
{% endhint %}

After SSO is set up, users will then be able to log in to your Devolutions Cloud instance using their Entra ID or Okta credentials in addition to being able to do so with their Devolutions Account credentials.

After having configured and saved your SSO settings, it is still possible to edit them or even delete them.

### Provisioning

{% hint style="info" %}
User and user group provisioning is currently only available with Microsoft Entra ID.
{% endhint %}

Synchronize and automate the provisioning and deprovisioning process of your Devolutions Cloud users and groups by configuring your Identity Provider with Devolutions Cloud using the SCIM (System for Cross-domain Identity Management) specification under your idP (Identity Provider) configurations.

Your domain(s) must be verified and single sign-on must first be configured and enabled to set up the provisioning. For the full provisioning setup instructions, visit [Get started with SSO in Devolutions Cloud](https://docs.devolutions.net/cloud/getting-started/get-started-with-sso-in-devolutions-cloud/).

### Encryption Service

Devolutions Cloud's encryption service streamlines access to Devolutions Cloud by eliminating the requirement to individually invite each user from your SSO provider. You need to enable the feature and enter the ***Encryption service URL***, which is where the encryption service will listen for incoming requests. This URL or IP address only needs to be reachable by clients logging in using the encryption service.

See [Encryption service](https://docs.devolutions.net/cloud/web-interface/administration/configuration-security/authentication/encryption-service/) for a list of requirements and configuration guides.

![](https://cdnweb.devolutions.net/docs/HUBB2366_2024_1.png)

#### See also

* [Devolutions Academy – Configure multi-factor-authentification in Devolutions Cloud](https://academy.devolutions.net/student/page/2745279-configure-multi-factor-authentification-in-devolutions-hub?curriculum_activity_id=4164309\&path_id=2628397\&sid=02d8fe9d-9514-4ecf-a9da-584dd3b9ef19\&sid_i=0)
* [Devolutions Academy – Exploring configuration & security](https://academy.devolutions.net/student/page/2761744-exploring-configuration-security?curriculum_activity_id=4271806\&path_id=2543918\&sid=fb72ff46-963b-486d-85f5-6eae67886ddf\&sid_i=0)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/cloud/web-interface/administration/configuration-and-security/access-and-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.