Enable 2FA and SSO for your team
A password alone is not enough for a site that holds customer data or publishes to a real audience. SGEN gives you two independent identity controls: per-user two-factor authentication (2FA) and org-level single sign-on (SSO). Turn them on in the right order, store recovery codes before you need them, and know the lockout paths before an emergency — this guide covers all four workflows.
2FA is per user — anyone on SGEN can enable it. SSO is per org — the owner wires it once and the whole team signs in through the provider. Both work in parallel.
Ten one-use codes sit between a lost device and a full lockout. Generate and store them in a password manager at setup time — the platform never shows them again.
Every sign-in, 2FA challenge, recovery-code use, SSO test, and SSO activation is recorded in the Audit Log with actor, timestamp, and result.
Before you start
Gather what each workflow needs before you open a settings panel.
An authenticator app installed on a phone or device — any app that supports time-based one-time passwords works. No other requirement.
Be signed in as the org-account owner (only the owner sees the Identity tab) and have admin access to the identity provider.
Access to the email address on the account, or a second admin who can perform a reset from the Users area.
Once SSO is enforced, password sign-in is disabled. Inform the team in advance — members without a working SSO link cannot sign in after activation.
Where to find the controls
Per-user 2FA and org-level SSO live on different surfaces. Know the location before the first click.
Account Settings → Security — reach it from the avatar menu at the top right of any SGEN admin page.
SG-Dashboard → Org Settings → Identity — only the org-account owner sees the Identity tab. Each client org account carries its own Identity surface; there is no cross-org SSO scope.
Per-site SG-Admin and at the org-level SG-Dashboard Activity view. Every identity event flows into it; review after any rollout or recovery to confirm the expected events appear.
Enable 2FA for one user
2FA is per user. Walk through this once per account that needs a second factor. The setup takes under three minutes with an authenticator app in hand.
Click the avatar menu at the top right of any SGEN admin page. Click Account Settings. The Account Settings page opens. Click Security in the left navigation.
Scroll to Two-Factor Authentication. The current state shows as Off. Click Turn On 2FA. A panel opens with a QR code and a setup key.
Open the authenticator app on your phone and add a new account. Scan the QR code — or type the setup key if the camera is not available. The app shows a six-digit code that refreshes every 30 seconds.
Enter the current six-digit code from the app into the Verify Code field on the SGEN panel. Click Verify. If the code is correct, the panel updates to confirm 2FA is now on. From this point, every sign-in for this user asks for the six-digit code after the password. SGEN does not send the code by SMS or email.
Generate and store recovery codes
Recovery codes are the safety net behind the safety net. Generate them immediately after enabling 2FA — before closing the Security panel. The platform never shows them again after the generation step.
The same Security panel shows a Recovery Codes section once 2FA is on. Click Generate Recovery Codes. A panel opens with ten one-use codes.
Each code can replace the six-digit app code one time, for one sign-in. After a recovery code is used, it is removed from the active set. A password manager is the right home — not a sticky note. For shared accounts, the team vault keeps the codes findable when the original setter is unavailable.
Click Save and Close once the codes are stored. Generate fresh codes any time the existing set feels stale or after a recovery code is used. Generating a new set invalidates the previous set immediately.
Configure SSO at the org account
SSO routes every team member through one identity provider. The org-account owner configures it once. Run a test connection and confirm with the team before activating.
Open SG-Dashboard. Click Org Settings in the left navigation, then Identity. The Identity page opens with the current sign-in posture — Password, Password + 2FA optional, or SSO.
Click Set Up SSO. A panel opens with a protocol picker — pick the one the identity provider uses. The panel shows two values to copy into the identity provider: the Entity ID for SGEN and the Reply URL that the provider sends the response to. Both are unique per org account.
Switch to the identity provider's admin console. Create a new application using SGEN as the service provider. Paste the Entity ID and Reply URL into the provider's configuration. The provider returns its own values — typically the metadata URL, the certificate, and the issuer.
Return to the SGEN Identity page. Paste the provider values into the matching fields on the panel. Click Test Connection. SGEN attempts a sign-in round-trip; the result shows on the page within a few seconds. A green result confirms the wiring is correct. Do not activate until the test passes.
Click Activate SSO. A confirmation lists every team member and notes that password sign-in will be disabled. Confirm. From this point, every team member signs in through the identity provider; password sign-in returns a Use SSO to sign in message.
Recover a locked-out account
The recovery path depends on what is missing. Two common cases — know both before a user needs either.
Sign in with the password. When the 2FA prompt appears, click Use a Recovery Code under the code field. Enter one of the stored recovery codes. The sign-in completes. Open Account Settings → Security, cycle 2FA off and on for the new device, and generate fresh recovery codes.
A second admin opens the admin → Users, finds the locked-out user, clicks the row action menu, and selects Reset 2FA. The user receives an email with a one-time reset link valid for 24 hours. Following the link signs the user in once and opens the 2FA setup flow on a fresh device. The user generates new recovery codes before leaving the Security panel.
What success looks like
Use these states to confirm each workflow completed correctly before moving on.
The Security panel shows 2FA is On. The authenticator app generates a fresh code every 30 seconds. Ten recovery codes are stored in a password manager. The next sign-in asks for the code after the password.
The Identity page shows SSO active. Every team member can sign in through the provider. Password sign-in shows a clear redirect message. The Audit Log records SSO sign-in events.
The user signs in, sees the Account Settings page, and has fresh 2FA configured plus new recovery codes stored in the password manager.
Troubleshooting
Common problems and the specific fix for each.
The phone's clock is out of sync with the SGEN server. Open the phone's date-and-time settings and turn on automatic time. Try the code again.
Either a newer set was generated and invalidated the old, or the codes were entered with copy-paste whitespace. Generate a fresh set if signed in, or use the Case B admin reset path if locked out.
The error message names the failing field — common ones are wrong issuer, expired certificate, or unmatched Entity ID. Fix the named field and retry. Do not activate until every field shows the healthy value.
The user does not exist on the identity provider, or is not assigned to the SGEN application there. Provision the user on the provider. SGEN auto-creates the local account on first successful SSO sign-in if just-in-time provisioning is on.
SGEN provisions the local account with a default role on first sign-in. Open the admin → Users and assign the correct role; the next sign-in lands the user with the new permissions.
The platform shows the codes once at generation time and never again — by design, they are stored in a form the platform cannot read back. Generate a fresh set, which invalidates the previous unsaved set and shows new codes one time.
A cached session may be skipping the prompt for the current browser. Sign out fully, close the browser, then sign back in. The 2FA prompt appears on the fresh session.
The member's local account is re-keyed to SSO on the next sign-in attempt after activation. Have the member click Sign in with SSO rather than entering a password — the routing carries them through.
Enterprise and large-team identity
A small team can run 2FA as an individual habit. A large team needs identity treated as an operating system. Three areas scale differently.
The org-account owner can require 2FA org-wide at SG-Dashboard → Org Settings → Identity → Sign-in Requirements. Tick Require 2FA for every member and save. From the next sign-in, any member without 2FA active is walked through setup before reaching any other page. Members already running 2FA notice nothing. For SSO-enforced orgs, the provider's 2FA policy carries the second factor — confirm the provider does require it.
On first successful SSO sign-in, SGEN creates the local account with a default role. Two patterns: the provider sends a default site claim and the admin upgrades the role through Members; or the provider sends a role claim that maps directly to the per-site role on first sign-in. The second pattern is faster but requires the provider's group structure to mirror the SGEN site structure. Document the choice in the team runbook.
Schedule a 2FA recovery drill once per quarter. Pick one editor, have them simulate a lost phone, walk the recovery path under timed observation. The drill confirms the path works, refreshes the editor's recovery codes, and produces a lesson for the runbook. For SSO, confirm the team knows the provider's break-glass path — a provider outage is rare but the team that has rehearsed handles it in minutes.
Solo operator — Password + self-managed 2FA, personal vault for codes. Small team (2-10) — Password + 2FA per user, shared team vault. Mid-team (10-30) — SSO if a provider is in place, provider enforces 2FA. Agency (multi-client) — SSO per org account, documented break-glass per client. Enterprise (over 30) — SSO with strict provider 2FA, JIT provisioning, quarterly drills.
SSO attribute mapping reference
When you configure SAML 2.0 SSO, the SGEN SSO panel asks you to map identity provider attribute names to SGEN fields. Attribute names are case-sensitive and must match what the identity provider sends in the SAML assertion.
{ "email": "emailAddress", "first_name": "givenName", "last_name": "surname", "role": "sgenRoleClaim", "role_map": { "SiteAdmin": "platform_admin", "Editor": "editor", "Contributor": "content_editor", "Viewer": "viewer" }, "auto_provision": true, "default_role": "viewer", "exclude_accounts": [ "admin+breakglass@yoursite.com" ]} Illustrative mapping shape — confirm exact attribute names against the live SSO panel before enabling enforcement.
If the identity provider sends emailAddress but the SGEN mapping field expects email, the login fails with an attribute mapping error. Always test with a real identity provider user before enabling enforcement for all accounts.
SSO test connection result fields
The Test Connection panel returns a structured result. A green pass is the success state. The table below shows the fields the panel reports on a failed test so you know which side to fix.
Healthy: Yes. Common failure: No — host unreachable.
Healthy: Yes. Common failure: No — provider issuer does not match configured value.
Healthy: Yes. Common failure: No — certificate expired. SAML certificates typically expire after one to three years; set a calendar reminder 60 days before expiry.
Healthy: Yes. Common failure: No — provider returned unsigned response.
Healthy: Yes. Common failure: No — Reply URL does not match the provider's registered value.
Healthy: Email, name, and role claim received. Common failure: No role claim — assign a default role on the SGEN side.
A failed field is the named fix. The panel does not move past a failed test; activate SSO only after every field shows the healthy value.
Ongoing security hygiene
Authentication hygiene degrades over time. A quarterly review and awareness of common mistakes keeps the identity posture sound.
Check the Users list for accounts with password-only status and reset their enrollment if any pre-date 2FA enforcement. Check identity provider application assignments and remove former employees and test accounts. Verify the break-glass account can sign in — test it. Check the SSO certificate expiry date. Review the Activity Log for repeated failed logins, logins from unexpected regions, or a spike in 2FA reset requests. The review takes about 20 minutes; pair it with the monthly backup check to make it a single recurring task.
Sharing 2FA codes — the code proves physical device possession; sharing defeats the second factor entirely. Create a separate account instead. Disabling 2FA "temporarily" — use the recovery code path or admin reset instead. Storing recovery codes alongside the password — keep them in a separate vault entry. Enabling SSO enforcement without a break-glass account — a misconfigured SSO with no fallback is a full lockout; test the break-glass account monthly. Skipping the grace period when enforcing 2FA — 14 days gives occasional users and people on leave time to set up an authenticator app.
Audit Log — identity event reference
Every identity action is recorded in the Audit Log. The table below shows the shape of events from a single onboarding hour — use it to confirm each step ran correctly after a rollout or recovery.
Records actor, timestamp, source (Admin UI), and result. Appears on every password sign-in.
Records actor and timestamp at Account Settings → Security. Confirms 2FA setup completed for the account.
Records actor, timestamp, and quantity (10 codes issued). Appears immediately after clicking Generate Recovery Codes.
Records actor, timestamp, identity provider name, and result. The provider name lets the team trace a sign-in back to the right provider configuration.
Records SSO just-in-time account creation — actor, role assigned (e.g. Editor), and source (SSO just-in-time).
Records failed and successful 2FA challenges at the sign-in flow. A failed challenge followed quickly by a passed one typically indicates a clock drift issue that self-corrected after device time sync.
Records the admin who performed the reset, the target user, and the timestamp. The reset link is emailed to the locked-out user and is valid for 24 hours.
The same set of identity events, exported, becomes a one-page record an onboarding lead can hand to a compliance reviewer at quarter-end.
Common questions
Straight answers to the questions that come up most often when teams set up 2FA and SSO for the first time.
No. Codes come from a time-based authenticator app. The platform does not implement SMS-based 2FA because of well-documented vulnerabilities with SIM swapping; authenticator apps are stronger and avoid the carrier dependency.
Yes. The authenticator app holds an entry per service; SGEN is one entry alongside any others. Most apps display every entry on the same screen with a clear label.
The standard recovery path applies — sign in with the password, use a recovery code, reconfigure 2FA on a new device. If the owner has neither device nor codes, the platform's account-recovery support path handles it. Treat recovery codes with the same care as a domain registrar's two-factor backup.
On an SSO-enforced org account, no — every member signs in through SSO and password sign-in is disabled at the org level. On an org account with SSO available but not enforced, members can choose either path. The Audit Log records which path was used on each sign-in.
No. SSO covers sign-in. Per-site roles cover what a signed-in user can do. Both are needed. The identity provider can carry role claims that map to SGEN roles, but the per-site assignment still happens on the SGEN side.
Every sign-in (password or SSO), sign-out, 2FA challenge, recovery-code use, SSO test, and SSO activation appears with the actor, the timestamp, the source surface, and the result. For SSO sign-ins the entry also names the identity provider.
