Policy
Add Dormant User Policy #User Lifecycle Management #Conditional Authentication Policy –>
When logging into SingleID or logging into an application registered with SingleID, various settings such as login methods, authentication sessions, and passwords need to be configured according to the organization’s security policy.
SingleID provides a policy management feature that allows detailed configuration of login and authentication information.
If you have purchased the anomalous behavior detection feature (ADM), you can configure it to analyze a user’s login activity at sign‑in and, when it detects authentication anomalies that differ from the norm, notify the user of a potential security threat.
The policy features provided by SingleID are as follows.
- Login Policy
- Authentication Policy
- Anomaly detection policy
By using SingleID’s policy feature, you can configure a secure authentication environment that meets organizational security requirements by specifying detailed login methods based on who is logging in, when, from which environment, and to which application.
Login Policy
The administrator can set detailed policies specifying which authentication methods users can use when logging in with SingleID, and, if necessary, create condition-based authentication policies for users authenticating in specific environments.
Login policies can be configured using the following conditions.
- Which application are you logging into?
- Who is logging in?
- In what environment are you logging in?
To access the login policy menu, navigate as follows.
- Admin Portal > Policy > Login Policy
Default login policy
The Admin Portal automatically creates the following two policies by default.
- Admin Portal Policy: Admin Portal access permission control policy
- Default Policy: User’s default access control policy
The Admin Portal Policy is the login policy applied when attempting to log in to the Admin Portal, and the Default Policy is the login policy applied when attempting to log in to the user portal.
If you have linked an application to SingleID and have not assigned a separate login policy, the Default Policy will be automatically assigned as the default login policy.
Register Login Policy
Login policy sets the login policies for administrators and users. You can configure login policies based on the access environment, application, and situation.
Login policies can be registered through a screen consisting of four steps as follows.
- General
- Allocation
- Initial Redirection
- Rule
General
Enter the name and description of the login policy on the general screen.
The fields that need to be entered are as follows.
| Name | Explanation | Required status |
|---|---|---|
| Name | Enter the name of the login policy. | Required |
| Explanation | Enter the description of the login policy. | Required |
Click the Next button to go to the assignment screen.
allocation
Specify the application to which the login policy will be applied on the assignment screen.
| Name | Explanation |
|---|---|
| Filter | Filter applications by status. |
| Keyword search | Search by application name and description. |
| Advanced Search | Displays detailed options for searching applications on the screen. |
| Assign button | Displays the application assignment popup on the screen. |
| Assigned Application List | The assigned applications are displayed in a list format. It starts with an empty list. |
- Click the Assign button to display the application assignment popup on the screen.
- In the Application Assignment popup, select one or more applications to assign to the login policy, then click the Assign button.
- If you have assigned all applications, click the Cancel button to close the Application Assignment popup.
Initial Redirection
Specifies how users access the login screen and the login method on the Initial Redirection screen.
Redirected to SingleID’s Sign-in page (login page)
Redirected to the external IdP
The explanations of the two methods above are as follows.
- If you select Redirected to SingleID’s Sign-in page, the SingleID login page will be displayed to the user attempting to log in.
- If you select Redirected to the external IdP, the user trying to log in will see the login page of the selected Identity Provider.
- After selecting Redirected to the external IdP, you must choose the Identity Provider from the selection list and designate it.
- If you select Redirected to SingleID’s Sign-in page, you can optionally display an additional button at the bottom of the SingleID login screen that allows login via an Identity Provider.
- AND see the following external IdP buttons on the Sign-In page Click the text input field below, select one or more Identity Providers registered in SingleID, and configure them to be displayed on the login screen.
Rule
On the Rules screen, modify or add login rules and set the priority among login rules.
| Name | Explanation |
|---|---|
| List of rules | Login rules are displayed on the screen as a list. The Default Rule is shown by default and cannot be deleted. |
| Keyword search | Search by the name or description of the login rule. |
| Register button | Register a new login rule. |
| Complete button | Register a login policy. |
Default Rule configuration
In the rule screen’s login rule list, Default Rule is displayed by default.
Default Rule cannot be deleted and can only be edited. Also, when you add one or more login rules, you cannot set the priority. (It always has the lowest priority.)
To modify the Default Rule, follow the steps below.
- Click Default Rule in the rule list.
- Default Rule’s WHEN condition cannot be modified.
- You can modify the THEN result of Default Rule.
| Name | Explanation |
|---|---|
| Set access permission | Set whether access is allowed. |
| Mandatory authentication method | Configure the primary login method. Additional login methods can be displayed on the login screen in addition to the default login method. |
| MFA authentication | Configure it to require an additional login after the first login succeeds. |
| Terms and conditions for collecting consent | Set it to display the terms and conditions and request consent when a user logs into SingleID for the first time. |
| Save button | Save the modified login rules. |
You can select one of the following two options when configuring access permission settings.
- Deny Access
- Allow Access
If you select Deny Access, it will reject login for all users.
When you select Allow Access in the access permission setting, you can configure the user’s login method.
If you selected Redirected to the external IdP as the method to enter the login screen on the Initial Redirection screen, the first login settings will not be displayed.
The required authentication method is performed by an external Identity Provider according to the Initial Redirection settings.
To have the user log in via multi-factor authentication, check the MFA authentication checkbox and then select one or more Authenticators in the text input box.
If a user logs in to SIngleID for the first time, to display the terms and conditions and request the user’s consent, check the Terms and Conditions Consent Setting (d) checkbox and then select one or more terms or conditions to display on the screen from the text input box.
Add rule
To add a login rule, follow the steps below.
- Click the Register button at the top right of the rule list.
- Enter the rule’s name and description on the rule registration screen.
- Refer to the following and enter the rule items.
| Name | Explanation |
|---|---|
| Name | This is the name of the rule. |
| Explanation | This is an explanation of the rules. |
| User group assignment | Select the user group to apply the rule to. |
| Profile property assignment | Click the ‘Add’ button in the profile property assignment list to add a property. Refer to the help below for descriptions of the property and operator. |
| Group Settings | Specify the group that the logged-in user belongs to as a member. |
| User attribute list | Specify the attributes of the user logging in and the conditions for each attribute. |
| Add User Property button | Display the “Add Property” popup on the screen. |
Access Environment
| Name | Explanation |
|---|---|
| Network | Specify the IP or network range of the user logging in. The default is “IP address anywhere”.- Desktop- Mobile |
| Platform | Specify the device information of the user who logs in. The default is “Any platforms”.- Desktop- Mobile |
| browser | Specifies the browser information of the user who logs in. The default is “Any browsers”.- Edge- Chrome- Safari |
| OS | Specify the OS information for login. The default is “Any OS”.- Windows 10- Windows 11- Android- iOS |
| AND Anomalies (Abnormal behavior) | Set the condition to determine whether abnormal behavior is detected during login.Abnormal behavior detection condition settings are only available for tenants who have purchased the Abnormal Behavior Detection (ADM) feature option.To use the Abnormal Behavior Detection (ADM) feature, you must select the additional option when signing a SingleID contract.If you wish to use the Abnormal Behavior Detection feature, you can purchase it additionally on the SCP product purchase page.After configuring all “WHEN” condition areas, set the login method that will be used when a user matching the conditions logs in. |
The selectable user attributes are as follows.
User attribute information
| attribute name | Data type | Required? | Explanation |
|---|---|---|---|
| key | String | Required | Key |
| username | String | Required | ID |
| password | GuardedString | Required | Password |
| status | String | Required | status |
| mustChangePassword | Boolean | Required | Whether password enforcement is required |
| suspended | Boolean | Required | Standby status |
| creator | String | - | constructor |
| creationDate | Date | - | Creation date |
| lastModifier | String | - | Last editor |
| lastChangeDate | Date | - | Last modified date |
| administrator | Boolean | - | Admin status |
| displayName | String | - | Display name |
| cn | String | - | Common Name |
| local | String | - | Locale (email sending standard) |
| userSource | String | - | User source |
| syncDate | String | - | Last synchronization time |
| contractNumber | String | - | Contract Number |
| contractStartDate | String | - | Contract start date |
| contractEndDate | String | - | Contract End Date |
| agreementDate | String | - | Date of required terms agreement |
| accountStartDate | String | - | Account start date |
| accountEndDate | String | - | Account expiration date |
| partnerOrganizationCode | String | - | Partner company code |
| approvalUser | String | - | Approver ID |
| formattedName | String | - | Korean display name |
| familyName | String | - | Korean surname |
| givenName | String | - | Korean name |
| enFormattedName | String | - | English display name |
| enFamilyName | String | - | English surname |
| enGivenName | String | - | English name |
| adDomain | String | - | AD Domain |
| nickName | String | - | nickname |
| employeeNumber | String | - | Employee ID |
| epId | String | - | EP ID |
| String | - | Email address | |
| phoneNumberWork | String | - | phone number |
| mobile | String | - | mobile phone number |
| title | String | - | Job title |
| enTitle | String | - | English job title |
| titleCode | String | - | Job grade code |
| entitlement | String | - | Job title |
| department | String | - | Department name |
| enDepartment | String | - | English department name |
| departmentCode | String | - | Department code |
| organization | String | - | Company name |
| enOrganization | String | - | English company name |
| organizationCode | String | - | Company code |
| region | String | - | base |
| userStatus | String | - | Employee status |
| userType | String | - | Employee type |
| securityLevel | String | - | Security rating |
| preferredLanguage | String | - | Knox language |
| executiveYn | String | - | Executive status |
| timeZone | String | - | Time zone |
| accountLocked | Boolean | - | Forced account lock |
| accountAutoLocked | Boolean | - | Automatic account lock |
| accountDisabled | Boolean | - | Unused account |
| accountSuspended | Boolean | - | Dormant account |
| accountSuspendedTime | Date | - | Dormant processing time |
| lastLoginTime | Date | - | Last login time |
| accountState | String | - | Account status |
The operators are as follows.
| operator | Explanation |
|---|---|
| Equals | Searches for users whose attribute value matches the condition value. |
| Not Equals | Search for users whose attribute values do not match the condition value. |
| Starts with | Search for users whose attribute value starts with the condition string. |
| Ends with | Search for users whose attribute value ends with the condition string. |
| Contains | Search for users whose attribute value includes the condition string. |
THEN configuration
THEN Set the login method and procedure in the result area.
In the access permission setting (a), you can select one of the following two options.
- Deny Access
- Allow Access
If you select Deny Access, login for all users will be denied. (The default value for the access permission setting (a) is Deny Access.)
To allow users to log in and configure detailed login methods, select Allow Access.
| Name | Explanation |
|---|---|
| Configure access permission | Set whether access is allowed. |
| First login setup | Set the primary login method. Additional login methods can be displayed on the login screen besides the default login method. |
| Additional login settings | Configure it to require an additional login after the initial login succeeds. |
| Terms and Conditions Agreement Settings | Configure it to display the terms and conditions and request consent when a user logs into SingleID for the first time. |
| PC SSO Agent Settings | Configure it to verify whether a security program (Endpoint Security) is installed on the user’s PC using the PC SSO Agent. |
| Save button | Save the modified login rules. |
- Select the Authenticator to use for login from the first login configuration’s selection list.
- If you want users to be able to log in with another Authenticator in addition to the selected primary login method, select the checkbox (V) of And allow another factors below: and choose one or more Authenticators to add in the text input box.
On the Initial Redirection screen, if you select Redirected to the external IdP as the method to enter the login screen, the first login settings will not be displayed.
The first login occurs at an external Identity Provider according to the Initial Redirection settings.
- To require users to log in via multi-factor authentication, select the checkbox (V) in the additional login settings, then choose one or more Authenticators in the text input field.
- If a user logs in to SIngleID for the first time, to display the terms and conditions and request the user’s consent, check the terms and conditions consent setting checkbox and then select one or more terms or conditions to display on the screen from the text input box.
- To verify whether a security program (Endpoint Security) is installed on a user’s PC using the PC SSO Agent, select the checkbox (V) in the PC SSO Agent settings. When this setting is enabled, login attempts from users whose PCs do not have the security program installed will be blocked.
If the PC SSO Agent is not registered, the PC SSO Agent configuration option will not be displayed on the screen.
When the PC SSO Agent setting (e) is enabled, if you want to require additional authentication instead of blocking the login of users who do not have a security program installed on the PC, select the checkbox (V) below and then choose one or more Authenticators in the text input box.
Click the Save button to register the login rule and return to the rule list.
Rule priority management
If one or more login rules are added, the administrator can set the priority among the login rules. If a user matches the conditions set in multiple rules, the login method of the rule with the higher priority will be applied.
Follow the steps below to set the priority of login rules.
- Drag the ≡ area displayed to the left of the rule name in the rule list with the mouse.
- The priority of login rules is determined by the drag-and-drop location.
- Rules that appear higher in the list have higher priority.
Policy Status Change
The status of the login policies managed by SingleID is as follows.
| status | Explanation |
|---|---|
| Active | Login policy operating normally |
| Inactive | Login policy disabled by the administrator |
The administrator can change the login policy status according to its current state as follows.
| Current status | Mutable state | Explanation |
|---|---|---|
| Active | Inactive | Click the Disable button to change an active login policy to an inactive state. |
| Inactive | Active | Click the Activate button to change a disabled login policy to an active state. You can also delete a disabled login policy. |
Among login policies, the two policies provided by default in SingleID, Admin Portal Policy and Default Policy, cannot be disabled.
If you disable a login policy, applications assigned to the disabled login policy will automatically be changed to be assigned to the default policy (Default Policy).
Disable policy
To disable an active login policy, follow these steps.
- Click the policy you want to deactivate in the policy list to navigate to the policy detail screen.
- Click the Disable button.
- Confirm popup displays login policy information (number of assigned applications, number of rules included in the login policy); after reviewing it, click the Deactivate button.
If you disable a login policy, applications assigned to the disabled login policy will automatically be changed to be assigned to the default policy (Default Policy).
Even if you reactivate a disabled login policy, the applications previously assigned are not automatically reassigned.
Policy activation
To change a login policy from inactive to active, follow these steps.
- Click the policy you want to activate in the policy list to navigate to the policy detail screen.
- Click the Activate button to change the login policy status to active.
Delete Policy
Administrators can delete the login policy from SingleID.
To delete the login policy, follow these steps.
- Click the policy you want to delete in the policy list to navigate to the policy detail screen.
- If the login policy is enabled, click the Disable button to deactivate the policy.
- Click the Delete button displayed at the top right of the disabled login policy.
- A popup screen confirming the deletion of the login policy is displayed.
- To delete a login policy, first review the policy information, then enter the name of the policy you want to delete and click the Delete button.
Deleted login policies cannot be restored.
When a login policy is deleted, the rules contained within the policy are also deleted, and even if you re-register a login policy with the same name, the deleted rules or configuration information will not be restored.
Access Simulation
When there are many login policies and the rules they contain, it can be difficult to determine which user is governed by which policy for login methods.
SingleID provides an access simulation feature that allows administrators to quickly verify the login policies and rules applied to users.
Using the access simulation feature, you can select the user and the target application, arbitrarily define the user’s login environment (network, device, browser, OS), and predict in advance which login method the user will experience under various circumstances.
Additionally, if there are review requests from users experiencing login difficulties, you can quickly verify using the access simulation feature and modify the problematic policies or rules.
To use the access simulation feature, click the Access Simulation button located at the top right of the login policy list screen.
| Name | Explanation |
|---|---|
| Enter user ID | Enter the user ID of the simulation target. |
| Network Settings | Specify the IP address of the user to simulate. The default is “IP address anywhere”. |
| Platform Settings | Specify the device information of the user to be simulated. The default is “Any platforms”. |
| Browser Settings | Specifies the browser information of the user to be simulated. The default is “Any browsers”. |
| OS Settings | Specify the OS information of the user to be simulated. The default is “Any OS”. |
| Select Application | Select the application to be simulated. Click the application selection button to display the popup. |
| Run Simulation button | Run the access simulation. |
| Simulation results | Displays the access simulation results on the screen. The login policies and rules applied to the specified user are shown. |
| List button | Return to the login policy list. |
To run the access simulation, follow the steps below.
- Enter the ID of the user to be simulated.
- Specify the IP of the user to simulate. After selecting Specific IP Address, you can manually enter the IP. Enter the IP in the format 123.123.123.123.
- Specify the device information of the user to simulate. After selecting Platform, you can choose a device from the selection list.
- Specify the browser information of the user to be simulated. After selecting Browser, you can choose a browser from the dropdown list.
- Specify the OS information of the user to simulate. After selecting OS, you can choose the OS from the selection list.
- Click the Application Selection button to select the application to simulate.
- In the Application Selection popup, click the radio button to the left of the application name to select the application, then click the Add button.
If you want to re-select the application, click the X button to the right of the selected application name, then click the Select Application button again.
- Click the Run Simulation button.
- The access simulation runs, and when it finishes, the login policies and rules are displayed on the screen according to the simulation results as shown below.
Authentication Policy
The administrator needs to change detailed authentication settings according to the organization’s security policy.
SingleID classifies and manages detailed authentication settings into the following four policies.
- Session Policy
- Authenticator policy
- MFA Service Provider Policy
- Password Policy
To access the authentication policy menu, navigate as follows.
- Admin Portal > Policy > Authentication Policy
To modify the authentication policy, click the Edit button at the lower right of the authentication policy screen to change the settings, then click the Save button.
Session Policy
To change the session policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- In the maximum session limit setting, you set the maximum number of sessions a user can create simultaneously.
- The minimum value that can be set is 1, and the maximum value is 100. When set to 1, a user can log in only from a single browser at a time and cannot log in simultaneously from multiple PCs or browsers.
- Set the priority of the session created by the user in the session priority settings. The priority can be selected from the following two options.
- Old session
- New session
When you set the maximum session limit to 1 and select Old session, a logged-in user will be blocked from logging in when they attempt a new login from another PC or browser where they are not logged in.
Also, when the maximum session limit setting (Œ) restricts the maximum number of sessions to 1 and New session is selected, if a logged-in user attempts a new login from another PC or browser that is not logged in, the previous browser’s session is forcibly expired and the session logged in from the new PC or browser is maintained.
In the maximum session time setting, set the maximum duration a session can be retained.
The maximum session time can be set to one of the following two options.
- No time limit
- Set time limit
If you set No time limit, a session that has been created will not automatically expire until the user logs out. After setting Set time limit and specifying a time, the session expires when the set time elapses, and the user is automatically logged out. Configure the maximum idle session time for the session in the maximum idle session time setting. If you set the maximum idle session time, the session will expire and the user will be automatically logged out when the user does not make an authentication request for the configured duration.
To save the changed settings, click the Save button at the bottom right of the authentication policy screen.
To avoid saving the changed settings, click the Cancel button at the lower right of the authentication policy screen.
| Name | Explanation |
|---|---|
| Maximum session limit setting | Sets the maximum number of concurrent sessions per user. |
| Session priority setting | When a session exceeds the user’s maximum concurrent session count, set the priority between the previous session and the new session. |
| Maximum session time setting | Set the maximum session duration after the session is created. The session expires when the maximum session duration elapses. |
| Maximum idle session time setting | Set the session expiration time for when the user does not make an authentication request to the server for a certain period after the session is created. |
Authenticator policy
To change the Authenticator policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Configure according to each item below.
- When the setup is complete, click the Save button.
| Name | Explanation |
|---|---|
| Available Authenticator settings(for login policy) | Configure an Authenticator that can be used for authentication. |
| Authentication method during registration | Set the user’s primary identity verification method when registering the Authenticator. |
| Perform the following authentication. | When registering an Authenticator, set additional identity verification methods to allow beyond the primary verification method designated for the user. |
| Find Account | Set the authentication method when retrieving the ID. |
| Password reset | Set the authentication method for password recovery. |
| Unlock setting | If a user repeatedly fails authentication while using Authenticators, the ID becomes locked. You can set a duration so that the locked user’s lockout is automatically cleared after a specified period. |
To remove a specified Authenticator from the available Authenticator settings, it must first be removed from the rules of all login policies.
Configurable Authenticators can be registered in the Authenticator addition menu. Disabled Authenticators cannot be configured in the available Authenticator settings.
If you have not purchased an MFA product
- Available Authenticator Settings (for login policy) is not displayed on this screen.
- If you want to purchase additional MFA products, please contact us via Support Center > Contact Us.
If a user repeatedly enters an incorrect password, fails to log in, and becomes locked, the lock will not be released even after a certain amount of time has passed. Configure the lock and unlock methods for password‑based lockouts in Password Policy.
If you reset a user’s password from the user menu, you can unlock a locked user before the unlock wait time expires. Refer to password reset.
MFA Service Provider Policy
To change the MFA Service Provider policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Refer to the table below and configure each item accordingly.
- When the configuration is complete, click the Save button.
| Name | description |
|---|---|
| Available Authenticator Settings (for MFA Service Provider) | Configure the Authenticator that the user can use when an authentication request is generated by the MFA Service Provider. |
| Terms and Conditions Options | When a user registers from the MFA Servicce Provider, you can display the terms and conditions and obtain the user’s consent. |
| Unlock setting | When an authentication request occurs from the MFA Service Provider and the user repeatedly fails authentication, the ID becomes locked. You can set a duration so that the locked user’s lockout is automatically cleared after a certain period. |
To remove a specified Authenticator from the available Authenticator settings, it must first be removed from all MFA Service Providers.
Configurable Authenticators can be registered from the Add Authenticator menu. Disabled Authenticators cannot be set in the available Authenticator settings.
If a user authenticates with the MFA Service Provider for the first time, to display the terms and conditions to the user and require their consent, check the terms and conditions option checkbox and then select one or more terms or conditions to display on the screen in the text input box.
If a user authenticating with the MFA Service Provider repeatedly fails authentication, the user’s ID becomes locked. To automatically unlock after a certain period, set the unlock wait time in the unlock settings.
Password Policy
To change the password policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Refer to the table below and configure each item accordingly.
- When the configuration is complete, click the Save button.
| Name | description |
|---|---|
| Password history | You can configure the system to prevent reuse of previously used passwords. Specify the number of recent passwords to block reuse. users will be unable to use the number of past passwords set above. |
| Password expiration | Specify the password validity period. After the validity period expires, you must change the password to log in. It can be set from 1 day to 365 days. |
| Password lock | If the password is entered incorrectly repeatedly, the user’s ID will be locked. Specify the number of allowed repeated entry failures.
|
| Pattern and Complexity | Set the minimum password length, minimum characters, numbers, etc. |
| Set minimum character count | Specifies the minimum password length. |
| Minimum alphabetic character count setting | Specifies the minimum number of alphabetic characters to include in the password. |
| Minimum number count setting | Specifies the minimum number of digits to include in the password. |
| Set minimum number of special characters | Specifies the minimum number of special characters to include in the password. |
| Set maximum character count | Specifies the maximum length of the password. |
| Allow using the user ID as the password | Set whether to allow the user’s ID to be included in the password. |
Sign‑up Policy
To allow user sign‑up, enable the registration policy, which permits registration of users other than those provisioned from the HR system or IdP. Through account synchronization, you can not only register, create, modify, and delete accounts but also provide features to invite users via the login screen or email.
To enable and use the registration policy, follow the steps below.
- Click Admin Portal > Policy > Sign‑up Policy.
- Enable Allow user registration.
- If you enable it, the Policy tab and User Invitation tab will appear.
- Review the descriptions of the Policy tab and the User Invitation tab below, and configure the policy.
- Click the Save button when the setup is complete.
Policy
You can set general policies for member registration.
| Name | Explanation |
|---|---|
| Display the sign‑up link on the login screen | Display the sign‑up link on the SingleID login screen.
|
| Terms and Conditions Options | Select the option to agree to the terms and conditions during sign‑up. During sign‑up, you can separately select and apply the terms and conditions. |
| Allow sign‑up invitations | When the feature is enabled, you can invite users via email. You can configure it so that only invited users can sign up, instead of using a separate registration page. With this setting, registration through the SingleID sign‑up link is not possible. |
| Sign-up input form | Set the user attributes to be entered during registration. Additional inputs can be requested based on whether they are required. |
| ID duplication prevention setting | When enabled, a suffix is added to the ID to prevent ID duplication. |
| This setting prevents cases where the ID of automatically provisioned accounts is the same. Since duplicate ID values are common, we recommend enabling this setting. When signing up, the specified PostFix value is appended to the ID. | |
| Maximum usage period | The maximum usage period is set after registration. It can be set from day 1 to day 2000. |
| Approval upon sign‑up request | When a sign‑up request is made, you can enable the approval setting to load and apply the registered approval policy. |
Dormant User Policy
Provides a feature that changes users who have not used the SingleID system for an extended period to a dormant state. Users who have been set to a dormant state can be configured, according to the settings, to be restored either by the user themselves or by an administrator.
To enable and use the dormant user policy, follow these steps.
- Click Admin Portal > Policy > Human User Policy.
- Human User Policy Activation Click the toggle button
Additional settings are as shown in the table below.
| Name | description |
|---|---|
| Criteria for setting a user as dormant | This setting converts users who do not log in to SingleID for N days into dormant users. It can be set from 1 day up to 365 days. |
| Send notification email | This setting sends notification emails to users starting N days before the dormant state. Additionally, you can also select the option to send notification emails to users when changing to the dormant state. |
| User exempt from dormant status change | Click the Add button to add an exception user for changing to dormant status. |
| Dormant State Exception Group | You can configure exceptions for users who are members of the group. |
| Long-term human user management | This feature automatically deletes a user account after it has been changed to a human user. It can be set for up to 1~365 days. - You can configure it to send a reminder email N days before deleting the user (1~30 days) - You can set it to send a notification email to the user when their information is deleted. |
| Allow dormant users to restore their status themselves. | When the option is enabled, a dormant user can restore their own status to active. A dormant user can change their status to active by resetting the password through ‘Password Reset’, which also updates the password. |
Approval Policy
The administrator can select an approval system and, depending on the type, set policies for member registration and app access through various approval lines. With diverse approval policies, security policies can be flexibly applied each time they change.
Approval can be performed by distinguishing between the built-in approval system function and the Knox Portal approval system. If integration with another approval system is required, please request it via a 1:1 inquiry.
To check the approval policy, follow the path below.
- Admin Portal > Policy > Approval Policy
Approval Policy List
The administrator can select an approval system and, depending on the type, set policies for member registration and app access using various approval lines. With diverse approval policies, security policies can be flexibly applied each time they change.
| Name | Explanation |
|---|---|
| ID | This is an automatically generated ID when creating an approval policy. |
| Approval System | It is distinguished by SingleID and Knox Portal. If registration with another approval system is required, please request it via a 1:1 inquiry. |
| type | It is divided into app access and sign-up. |
| status | This is the approval policy status. If Not usable, you must change the approver and notifier. |
| Enable approval | It is categorized as in-use or not-in-use. Clicking the Details button lets you view applications that use the approval policy. |
Register Approval Policy
When you click the Register button, you can set the approval system, type, approver, notification method, and approval period.
| Name | Explanation |
|---|---|
| Approval System | Two options are available.
|
| type | Two options are available.
|
| Approver | Select and register the approver and notifier. |
| Notification method | When an approval request is sent to the approver or notifier, choose the notification method. |
Anomaly Detection Policy
SingleID provides a feature that collects and analyzes user behavior data before and after authentication in real time to determine whether there are abnormal authentication activities, and immediately notifies the user of risk when identified as belonging to an abnormal authentication category.
To access the anomalous behavior detection policy menu, proceed as follows.
- Admin Portal > Policy > Anomalous Activity Detection Policy
User Life Cycle Management
User lifecycle management provides configuration functions for setting default values when a user is created or registers, and for extending the user account’s usage period.
To enable and configure the user lifecycle management function, refer to the following.
Onboarding (subscriber)
Set the phone country code, language, and time zone when creating a user and signing up. To configure, click the Edit button at the bottom right to make changes.
Offboarding (former member)
Users can request an extension of their account usage period, and it can be configured to allow the maximum possible extension.
- Click the Activate toggle when requesting an extension of the user’s usage period.
- Enter N days for the maximum extendable period.
- Click the Change button in the usage period request approval to set the approver.
Conditional Authentication Policy
Conditional authentication policies can set rules to match the environment, settings, and individual circumstances of user accounts.
You can set the following rules.
| Name | description |
|---|---|
| Use multiple authenticators | Users who have relied on a single authentication method for an extended period must additionally verify their identity using a different type of authentication tool. |