Centralized Authentication
Centralized Authentication provides a global identity system for user authentication and management. Powered by Okta’s Auth0 platform, it offers secure workflows and innovative features to help clients confidently manage user authentication in their instances. Centralizing user authentication data reduces the burden on admins and provides users with a streamlined authentication experience across instances.
Centralized Authentication supports all types of user authentication, including password and single sign-on (SSO) methods. For SSO, it supports Security Assertion Markup Language (SAML) and OpenID Connect (OIDC).
Prerequisites
Confirm your browser allows traffic to and from the new login page: login.relativity.one and *.auth0.com
Centralized authentication workflow
- Admin sets up the authentication providers
- Admin invites users to Relativity instance via Centralized Authentication
- Users accept the invitation
- Users log in to RelativityOne using Centralized Authentication
Setting up your authentication provider
System Admins can set up one or both of the following authentication providers:
- Password–a two-factor authentication (2FA) method that includes a username, the user's email address, and a password. See Password setup.Note: Simple password setup is currently permitted, however, disabling two-factor authentication is not recommended.
- SSO (Single Sign-On)–a method that allows users to use an external authentication provider so they have one set of login credentials to access multiple applications. See SSO setup.
SSO setup
We are developing a streamlined Single Sign-On (SSO) setup workflow for implementation within RelativityOne. If you are interested in using Centralized Authentication with SSO in the meantime, please contact your Customer Success Manager for further information.
Password setup
Follow the steps below to set up the Password two-factor authentication method. You can configure users to authenticate by email, Authentication App, or both.
- Navigate to Authenticator Provider within Authentication.
- Click the edit icon next to Password.
- In the Initial Settings for Two-Factor Authentication (2FA) section, set the following fields:
- Enable 2FA–this toggle is enabled by default to use two-factor authentication for a more secure password experience. If you disable this toggle, a warning against doing so displays as it is not aligned with RelativityOne security best practices.
- 2FA Methods–select one or both two-factor authentication challenge methods: Email and Authenticator App. By default, the Authenticator App is selected. If both are selected, the user can select which one they want to use during the login process.
- Enforce Initial 2FA Settings–this toggle is enabled by default. When enabled, the 2FA settings configured in this section apply throughout the instance and to all new users added or invited to the instance. This also means the 2FA settings within the individual user’s record are read-only and cannot be modified. If this toggle is disabled, you can modify individual user’s 2FA settings. It is recommended to leave this toggle enabled to ensure consistency in user settings within the instance.Note: when enabled, you must use the Enforce 2FA setting in Security Center to enforce any updates to these settings for users who have already accepted the invitation to Centralized Authentication.
- Bypass 2FA Challenge on Trusted IPs–this toggle is disabled by default. When disabled, users must complete two-factor authentication even on trusted IP addresses. Enable the toggle if you have trusted IP addresses configured and want to skip two-factor authentication for them.
- In the Password Rules section, set the following fields:
- Minimum Password Length–enter the least number of characters permitted for user account passwords. RelativityOne security best practices recommends 10 or more characters.
- Enable Password Expiration–this toggle is enabled by default with the Days Before Password Expiration set to 180. You may update the desired number of days in the Days Before Password Expiration field. If disabled, passwords never expire.
- Enable Password History–enable this toggle to prevent reuse of passwords. Enter the maximum number of previous passwords to be tracked in history in the Maximum Password History field. If disabled, users are permitted reuse previous passwords.
- Password Dictionary–enable this toggle to prevent the 10,000 most used passwords from being used. If disabled, these passwords are permitted.
- Click Save.
Password requirements
| Legacy Requirements | Centralized Authentication Requirements |
|---|---|
|
Minimum character length – defined by customers (default 8) |
Minimum character length - defined by customers (default 10) |
|
4 of the 4 criteria:
|
3 of the 4 criteria:
|
Note: AuthO's password policies follow modern standards that prioritize length rather than complexity.
Additional password considerations
| Feature | Legacy | Centralized Authentication |
|---|---|---|
| Maximum character length |
X (default 50) |
X (default 128) |
|
Maximum failed password attempts before password reset required (Brute Force Protection) |
X |
X (non-configurable - 10 attempts) |
| Maximum password age |
X (default no expiration) |
X (default 180 days) |
| Maximum password history | X | X |
| Disallow passwords in | X | |
| Set password for user | X | Not supported given potential for account sharing. |
| Suspicious IP Throttling | X | |
| Breached Password Detection | X | |
|
Bot Protection (on specific workflows, such as password reset) |
X |
After you complete the password setup, you can start inviting users.
Inviting users
After you set up authentication providers, invite users to Centralized Authentication. You can invite users individually from their user record or in bulk from the Not Invited tab on the Centralized Authentication page.
User tab invitation
- Navigate to the Users tab and click the edit icon next to the user you want to invite.
- In the Login Method section of the user record, select Password as the Provider.
- If Enforce Initial 2FA Settings are enabled during password setup, these fields will be read-only. If you are not enforcing the initial 2FA settings, configure the fields as follows:
- Enable 2FA–this toggle is enabled by default to enable two-factor authentication for a more secure password experience. If you disable this toggle, a warning against doing so displays as it is not aligned with RelativityOne security best practices.
- 2FA Methods–select one or both two-factor authentication challenge methods: Email and Authenticator App. By default, the Authenticator App is selected. If both are selected, the user selects which one they want to use during the login process.
- Bypass 2FA Challenge on Trusted IPs–this toggle is disabled by default. When disabled, users must complete two-factor authentication even on trusted IP addresses. Enable the toggle if you have trusted IP addresses configured and want to skip two-factor authentication for them.
Note: The Status field in this section will change based on the progress of the user email invitation workflow:- Blank—indicates the invitation has not been sent to the user.
- InvitePending—indicates the invitation has been sent to the user but has not yet been accepted.
- InviteAccepted—indicates the user accepted the invitation.
- Click Save.
- Click Yes on the Enable User dialog to allow the user to access Relativity using the Password authentication process.
- Click Save and Invite to send an email invitation to the user for this RelativityOne instance.
The user receives an email invitation from support@relativity.com with the subject, "Welcome to Centralized Authentication in RelativityOne." See User accepts the invitation. Once invited, the user appears on the Pending Invitations tab until they accept the invitation, at which point they move to the Accepted Invitations tab.
Navigate to Centralized Authentication to view Pending, Accepted, and Not Invited users.
Centralized authentication tab invitation
- Navigate to the Not Invited tab of Centralized Authentication.
- Select one or more users to invite and click Invite Users [#]
- In the User Login Method modal, select Password as the Provider.
- If Enforce Initial 2FA Settings are enabled during password setup, these fields will be read-only. If you are not enforcing the initial 2FA settings, configure the fields as follows:
- Enable 2FA–this toggle is enabled by default to enable two-factor authentication for a more secure password experience. If you disable this toggle, a warning against doing so displays as it is not aligned with RelativityOne security best practices.
- 2FA Methods–select one or both two-factor authentication challenge methods: Email and Authenticator App. By default, the Authenticator App is selected. If both are selected, the user selects which one they want to use during the login process.
- Bypass 2FA Challenge on Trusted IPs–this toggle is disabled by default. When disabled, users must complete two-factor authentication even on trusted IP addresses. Enable the toggle if you have trusted IP addresses configured and want to skip two-factor authentication for them.
- Click Save and Invite.
- Click Close on the message notifying you that the mass invite was successfully sent.
User accepts the invitation
When the user receives the email invitation from support@relativity.com with the Subject, “Welcome to Centralized Authentication in RelativityOne,” they need to accept it.
- The user clicks the Accept invitation button or copies the hyperlink displayed into their browser which will take the user to the universal login page. The invitation expires after 7 days by default.
- In the "You've Been Invited" dialog, the user does one of the following depending on the authentication provider used:
- Password: Enters their password and clicks Continue.
- Authenticator app: The user scans the QR code displayed on the screen with their mobile Authenticator app. Then, they enter the one-time code from the Authenticator app into the provided field and click Continue.
- SSO: If you invite the user to log in with SSO, they will be prompted to authenticate with their SSO provider.Note: If the user has been invited to a second instance and has already set their password, they will click Login instead.
- The user logs into RelativityOne using Centralized Authentication. Admins can check the user’s acceptance status by viewing the Accepted Invitations tab in Centralized Authentication.
Logging in to RelativityOne
Your organization will notice a slight change in the login process as Centralized Authentication rolls out to users.
Transition period to centralized authentication
Until all users in the instance have accepted the invitation, your organization will use both the legacy authentication and Centralized Authentication workflows. During this transition period, the user login process is as follows:
- Navigate to the RelativityOne URL.
- On the login page, click Global Identity. The login background will be dark gray, indicating the user is still on the legacy system.
- On the universal centralized login page with a light blue background, users can choose their assigned login method.
- Using Password login: Enter an email address and click Continue, then enter a password and click Continue.
- Using SSO login: Click the bottom SSO button for the organization.
Centralized authentication migration
Once all users in the instance accept the invitation and your organization fully utilizes Centralized Authentication, the user login process will be as follows:
- Navigate to your RelativityOne URL. Note that users are automatically redirected to the universal centralized login page, login.relativity.one.
- Using Password login: Enter an email address and click Continue, then enter a password and click Continue.
- Using SSO login: Click the bottom SSO button for the organization.
