🔐

Accessing and Securing your Oort Tenant

02/2023

Overview

This article describes several critical aspects of the Oort identity security solution -
  • Understanding Oort tenant types
  • Accessing your Oort tenant
  • Securing access to your Oort tenant
Note - If you are looking to access the Oort demonstration tenant, please see this article.

Oort Tenant Types

The Oort cloud platform leverages several different tenant tiers and editions, which is not unusual for SaaS solutions. This includes the following -
  • Staging
  • Production
From an Oort client perspective, the Staging and Production environments have different development cycles and characteristics.

Oort Staging Environment

The Oort staging environment is typically used for testing and evaluation. Client tenants in the Oort Staging environment automatically refresh hourly with the latest build of the Oort platform. This provides the following benefits -
  • Exceptionally fast turnaround times on issue resolution involving code changes (subject to the nature of the change and level of effort)
  • Near immediate access to the most recent features and capabilities
Staging environments will have a URL with the FQDN format of dashboard.stage.oort.io. A small description in the lower right footer of the page denotes that the environment reloads hourly.
Because social login authentication options are allowed for the Staging environment tenants, MFA is required for all users on the Oort customer authentication platform. More details are available on this below.
2023 02 07 13 52 28

Oort Production Environment

In contrast to the Staging environment, the Production environment is only refreshed with the latest build on a weekly cycle.
Social authentication platforms are not allowed for Production tenants. Only SSO from a clients IDP or IAM solution, such as Azure, Okta, Duo Security, etc., is allowed. For this reason, users are not required to enroll and use MFA via the Oort customer auth platform.

Accessing your Oort Tenant

There are several ways to access your Oort tenant.

1. Direct login URL

Upon full configuration of your Oort tenant, including an SSO authentication from your IAM platform such as Okta or Azure, your Customer Success engineer will provide you with a crafted URL that includes your tenant ID and the connection string of your SSO platform.
The URL will have this format:
Next step: This URL should be created as a bookmark app in your IAM platform for convenient access for those granted access to the Oort dashboard.

2. Login with Tenant Name

You can also login to Oort with your tenant name, which will be provided by the Oort Customer Success or Support team.
  1. 1.
    Navigate to either of the following URLs, depending on your tenant location (Staging or Production), to which your Oort contact will direct you.
  2. 2.
    Click the Login button in the top right and then enter your tenant name, provided by your Oort contact. Click Continue.
    2023 02 11 08 46 52
  3. 3.
    At this point, you will be presented with the available logon options. For staging environments, this may include social login platforms (below), which operate and are restricted by email invite only, as well as your own IAM SSO platform, if already configured with Oort. A login option for Oort Support will also be present.
    2023 02 11 09 03 56
  4. 4.
    Select the desired login platform and continue with the login process for it. You will be redirected to the Oort Dashboard page when complete. Note - Oort does not provide a local username and password login option.
  5. 5.
    If you are accessing a tenant in the Staging environment for the first time, you will be prompted to enroll MFA as described below.

Securing your Oort Tenant

There are several important concepts related to securing your Oort tenant.
  • Multi-factor authentication (MFA) - Oort requires this in all tenants. It is discussed further below.
  • Session idle timeouts - Oort enforces a default 15 min session idle timeout.
  • Role-based Access Controls (RBAC) - Oort recommends RBAC be implemented in all Production tenants. Role-based access options and configuration is discussed in this article. This can also be implemented in the Staging tenants, as well, if desired.

MFA in Production Tenants

Oort relied solely on customer IAM platforms for customer authentication and SSO into Oort production tenants. Oort insists on some form of MFA for these connections, but it is the customer's responsibility to implement and enforce it via their IAM platform.
MFA enrollment with the Oort customer authentication platform is not required for this reason.

MFA in Staging Tenants

MFA enrollment with the Oort customer authentication platform IS required in Staging tenants, due to the potential for personal social login options on a temporary basis.
MFA Enrollment with Oort
  1. 1.
    Upon your first login to a Staging tenant, you will be prompted to enroll MFA with the Oort auth platform.
  2. 2.
    There are three options available: FIDO2 security key
    OTP authenticator apps, such as Google Authenticator, Microsoft Authenticator, Okta Verify, etc.
    Auth0 Guardian mobile app for push authentication
  3. 3.
    Choose an option that best suits your MFA preferences. See each section below for specific details on the three different options. Note - Oort does not support weaker factors such as SMS or phone-call based 2FA.
  4. 4.
    Following that enrollment, you will see an option to also use device based authentication, such as Windows Hello or Mac TouchID. Click Continue if desired. Note - Windows Hello or TouchID should be set up and configured on your device first, prior to enrolling with Oort authentication.
  5. 5.
    Complete the enrollment by authenticating with Windows Hello (shown below) or TouchID.
  6. 6.
    Name the device and click Continue to proceed to the Oort console.

Oort Staging MFA Options

OTP Apps

For time-based OTP authenticator apps (TOTP), a QR registration code will be displayed (see below).
Apps such as Microsoft Authenticator, Google Authenticator, Duo Security, or Okta Verify will work. Yubico Authenticator app will also work on desktop or mobile devices in conjunction with a YubiKey 5 series device or above.
Simply scan the QR code with your mobile app or desktop OTP app and enter the first 6-digit code to continue.

FIDO2 security keys

For FIDO2 security keys, follow the typical process to authenticate via your security key in the browser, as shown below.

Auth0 Guardian Mobile App

For the Auth0 Guardian mobile push authentication app, download the app from the Apple or Google app store. Then scan the QR registration code to enroll the mobile device and authenticate.