How does SSO work for the platform?

SAML 2.0 and OIDC are both supported. Configure with your identity provider (Okta, Azure AD/Entra, Google Workspace, JumpCloud, OneLogin), map groups to roles, and CloudIP becomes a downstream of your IdP.

Can I require SSO for some users and password+MFA for others?

Yes. SSO enforcement is a policy by user, group, or role. Service accounts and contractor accounts often stay on password+MFA while employees move to SSO.

Cybersecurity · MFA & SSO

MFA & SSO

TOTP and WebAuthn MFA, plus SAML/OIDC SSO for the whole tenant.

Start free trial Back to Cybersecurity

MFA & SSO flow within the CloudIP Cybersecurity module — input, processing, and outcome.

Identity is the perimeter. MFA on every account and SSO across the workforce are non-negotiable controls. CloudIP enforces MFA at the tenant level with TOTP and WebAuthn, and federates with any SAML or OIDC identity provider for SSO.

SMS MFA is intentionally not supported because of well-known SIM-swap risk.

What you get

Inside MFA & SSO

Specifics that distinguish CloudIP MFA & SSO from the alternative.

TOTP and WebAuthn

Authenticator-app and hardware-key MFA enforced tenant-wide.

SAML SSO

Federate with Okta, Azure AD, JumpCloud, and other SAML providers.

OIDC SSO

OIDC for Google Workspace, Microsoft 365, and custom IdPs.

Session policies

Per-role session length, idle timeout, and re-auth requirements.

How it works

MFA & SSO on the CloudIP platform

Where this capability lives, who runs it, and what it shares with the rest of the system.

MFA & SSO runs as part of the CloudIP Cybersecurity module on the same multi-tenant infrastructure as every other capability you use. There is no separate console to log into and no separate billing line: SMB MFA and SSO is provisioned the moment your tenant is created and stays in lockstep with the rest of the platform as it grows.

Operators interact with SMB MFA and SSO through the Cybersecurity interface they already know — the same record screens, the same audit trail, the same role and permission model. Behind the scenes, totp and webauthn handles the heavy lifting, while session policies keep the experience consistent across teams. Configuration changes are versioned, exportable, and reviewable, so the way you run SMB MFA and SSO today is reproducible tomorrow.

Because MFA & SSO reuses the platform's user database, every action is attributable, every record has a stable ID, and every export honours the tenant's data residency choice. That means SMB MFA and SSO reports tie out to the rest of the books, audit logs, and operational dashboards without an integration step in between.

MFA & SSO fits inside CloudIP Cybersecurity alongside the other cybersecurity capabilities — they share the same data model, so improvements in one tend to compound across the others. If you are evaluating CloudIP specifically for SMB MFA and SSO, the rest of Cybersecurity comes along at no extra cost.

FAQ

Common questions about MFA & SSO

TOTP authenticator apps, WebAuthn (security keys, platform authenticators like Touch ID and Windows Hello), and push notifications via the mobile app. SMS is supported but discouraged for high-privilege roles per NIST guidance.