Multi-Factor Authentication & Single Sign-On - FAQs

Last updated 17/4/2025

General questions

What is MFA?

MFA stands for Multi-factor Authentication. This is a sign-in method that requires a user to authorise their sign-in with a second device. Typically, this will be done with a mobile phone or other smart device, using an authenticator app.

What is SSO?

SSO stands for Single Sign-On. This sign-method uses the credentials from your device sign-in, such as the username and password you use to sign into your work computer, to sign into Tractivity. Once SSO is set up, you only need to click a button to access Tractivity; no additional password is required.

Why are these sign-in methods being made mandatory?

Access to Tractivity is provided on a per-user basis. This means that each account on your Tractivity system is associated with a single person within your organisation. MFA and SSO both provide an additional level of security, to ensure that only the named individual for each Tractivity account can log into that account. By making the use of MFA or SSO mandatory, this extra security is applied to all accounts across Tractivity, greatly reducing the possibility of data breaches or malicious activity through unauthorised access.

How can we set up MFA or SSO for our Tractivity system?

We have detailed guidance on setting up multi-factor authentication on our Knowledge Base, which you can find here: Multi-factor Authentication.

We also have guidance for setting up Single Sign-On for your system, also on our Knowledge Base: Single Sign On (SSO) Setup Guide.

Follow the steps in each guide; if you need any further assistance, please email support@tractivity.co.uk.

Does Tractivity recommend any specific authentication apps for MFA sign-in?

Apps commonly used for MFA sign-in include Google Authenticator and Microsoft Authenticator. We do not formally recommend a specific option; your IT team should be able to direct you to the best option for your organisation.

Can Users set up MFA or SSO themselves? Or does this need to be completed by our IT team/department?

This will vary depending on your organisation’s internal policies. For MFA, your IT team may need to install the authentication app on your company devices. For SSO, the initial set-up will need to be completed by your IT team, to configure the connection between your organisation’s sign-in process and Tractivity SSO.

Can we use both MFA and SSO? Can we change to using SSO at a later date if we choose to set up MFA, or vice versa?

Each User on Tractivity will be set up to use either Tractivity MFA or Tractivity SSO to sign into their account – both methods can’t be used, only one or the other. You can change which method you use at any time by going to the “Edit User” page in the System Admin area of Tractivity.

Can we test the SSO integration before deploying this to our live Tractivity system?

Yes! Every organisation that uses Tractivity has access to a staging environment for testing. This is based on your live system, without the risk of contacting stakeholders or affecting your existing data. You can access the stage environment by adding “stage.” in front of your usual Tractivity system URL. Contact your Customer Success Manager (or email support@tractivity.co.uk) if you need access.

Will this change affect how we log into the Tractivity Outlook add-in?

For the time being, logging into the Outlook add-in with a username and password will not prompt the MFA authentication screen. This means you can use the Outlook add-in in the same way as before this update.

Logging in using SSO will work the same way as logging into the main Tractivity website. See more details in our "Accessing the Outlook add-in" page.

Is technical support available for IT teams/desks/departments etc that may need it?

The set-up process for both MFA and SSO is something we consider straightforward enough that the provided guidance should be sufficient for both general users and IT teams. However, if more technical questions do come up, please email support@tractivity.co.uk where our developers can respond to your questions directly.

Advanced questions

Which SSO providers does Tractivity support?

Tractivity supports OIDC (Open ID Connect) and SAML Identity protocols. Any SSO provider that supports these protocols will be suitable for use with Tractivity SSO.

What settings or configurations are required on the Microsoft tenant side?

You will need to register a new application in your chosen SSO provider. For example, if OIDC is chosen, this will generate an Application (Client) ID and an OpenID Connect metadata document URL, which Tractivity will need to help configure the identity provider. The Microsoft Graph Delegated permissions are required to be configured as part of your app registration inside Azure. The permissions required are ‘email', ‘openid’ and 'profile’.

When users log in for the first time via SSO, they will be prompted to consent to these permissions. Depending on your organisation’s security policies, your IT provider may need to grant the user the permissions on their behalf, but usually admin consent is not required for these permissions. This will allow Tractivity to access the required claims within the token, such as the user’s email address and name.

How are user accounts matched? Will Tractivity match users to their existing accounts, using their email address, or will new accounts be provisioned upon first login?

When a user logs in for the first time, Tractivity matches them using the email claim provided by the authorisation token. If the email matches an existing account, it's linked; otherwise, an error will be returned stating no matching user was found with the given email address. After successful login, we store the user’s Unique ID which is a combination of the issuer and sub claim also provided by the token (https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability). We use this ID for each future login to Tractivity using SSO.