policy
When logging into SingleID or logging into an application registered with SingleID, various settings such as login method, authentication session, and password need to be configured according to the organization’s security policy.
SingleID provides a policy management feature that allows detailed configuration of login and authentication information.
If you have purchased the Anomalous Behavior Detection feature (ADM), you can configure it to analyze a user’s login activity at login and, when it detects authentication anomalies that differ from the norm, notify the user of a potential security threat.
The policy features provided by SingleID are as follows.
- Login Policy
- Authentication Policy
- Anomaly detection policy
By using SingleID’s policy feature, you can configure a secure authentication environment that meets organizational security requirements by specifying detailed login methods based on who is logging in, when, in which environment, and to which application.
Login Policy
The administrator can set detailed policies specifying which authentication methods users can use when logging in with SingleID, and, if necessary, create condition-based authentication policies for users authenticating in specific environments.
Login policies can be configured using the following conditions.
- Which application are you logging into?
- Who is logging in?
- In which environment are you logging in?
To access the login policy menu, navigate as follows.
- Admin Portal > Policy > Login Policy
Basic login policy
The Admin Portal creates two default policies as follows.
- Admin Portal Policy: Admin Portal access permission control policy
- Default Policy: User’s default access control policy
The Admin Portal Policy is the login policy applied when attempting to log in to the Admin Portal, and the Default Policy is the login policy applied when attempting to log in to the user portal.
If you have linked an application to SingleID and have not assigned a separate login policy, the Default Policy is automatically assigned as the default login policy.
Register login policy
The login policy sets the login policies for administrators and users. You can configure login policies based on the connection environment, application, and situation.
Login policies can be registered through a screen consisting of four steps as follows.
- General
- Allocation
- Initial Redirection
- rule
General
On the general screen, enter the name and description of the login policy.
The fields that need to be entered are as follows.
| Name | Explanation | Required or not |
|---|---|---|
| name | Enter the name of the login policy. | Required |
| Explanation | Enter the description of the login policy. | Required |
Click the Next button to go to the assignment screen.
Allocation
Specify the application to which the login policy will be applied on the assignment screen.
| name | Explanation |
|---|---|
| filter | Filter applications by status. |
| Keyword search | Search by application name and description. |
| Detailed Search | Displays detailed options for searching applications on the screen. |
| Assign button | Displays the application allocation popup on the screen. |
| List of assigned applications | The assigned applications are displayed in a list format. It starts with an empty list. |
- Click the Assign button to display the application assignment popup on the screen.
- In the Application Assignment popup, select one or more applications to assign to the login policy, then click the Assign button.
- If you have assigned all applications, click the Cancel button to close the Application Assignment popup.
Initial Redirection
Specifies the user’s login screen entry method and login method on the Initial Redirection screen.
Redirected to SingleID’s Sign-in page (login page)
Redirected to the external IdP
The explanations of the two methods above are as follows.
- If you select Redirected to SingleID’s Sign-in page, the SingleID login page will be displayed to the user attempting to log in.
- If you select Redirected to the external IdP, the user attempting to log in will see the login page of the selected Identity Provider.
- After selecting Redirected to the external IdP, you must select the Identity Provider from the selection list and designate it.
- If you select Redirected to SingleID’s Sign-in page, you can optionally display an additional button at the bottom of the SingleID login screen that allows login via an Identity Provider.
- AND see the following external IdP buttons on the Sign-In page. Click the text input field below and select one or more Identity Providers registered in SingleID to configure them to be displayed on the login screen.
Rule
In the Rules screen, edit or add login rules and set the priority among them.
| name | Explanation |
|---|---|
| Rule List | Login rules are displayed on the screen as a list. The Default Rule is shown by default, and the Default Rule cannot be deleted. |
| Keyword search | Search by the name or description of the login rule. |
| Register button | Register a new login rule. |
| Complete button | Register a login policy. |
Default Rule configuration
The login rule list on the rule screen displays Default Rule by default.
Default Rule cannot be deleted and can only be modified. Also, you cannot set a priority when adding one or more login rules. (Always the lowest priority.)
To modify the Default Rule, follow the steps below.
- Click Default Rule in the rule list.
- The WHEN condition of Default Rule cannot be modified.
- You can modify the THEN result of Default Rule.
| name | Explanation |
|---|---|
| Configure access permission | Set whether access is allowed. |
| Required authentication method | Set the primary login method. Additional login methods can be displayed on the login screen besides the default login method. |
| MFA authentication | Configure it to require an additional login after the initial login succeeds. |
| Terms and conditions for collecting consent | Set it to display the terms and conditions and request consent when a user logs into SingleID for the first time. |
| Save button | Save the modified login rule. |
In the access permission setting, you can select one of the following two options.
- Deny Access
- Allow Access
If you select Deny Access, login will be denied for all users.
When Allow Access is selected in the access permission setting, you can configure the user’s login method.
If you selected Redirected to the external IdP as the method to enter the login screen on the Initial Redirection screen, the primary login settings will not be displayed on the screen.
The required authentication method is performed by an external Identity Provider according to the Initial Redirection settings.
To have the user log in via multi-factor authentication, check the MFA authentication checkbox and then select one or more Authenticators in the text input box.
If a user logs in to SingleID for the first time, to display the terms and conditions and require the user’s consent, check the “Terms and Conditions Consent Setting (d)” checkbox and then select one or more terms or conditions to display on the screen in the text input box.
Add rule
To add a login rule, follow the steps below.
- Click the Register button at the top right of the rule list.
- On the rule registration screen, enter the rule’s name and description.
- Enter the rule items by referring to the below.
| Name | Explanation |
|---|---|
| Name | This is the name of the rule. |
| Explanation | This is an explanation of the rules. |
| User group assignment | Select the user group to apply the rule to. |
| Profile attribute assignment | Click the ‘Add’ button in the profile property assignment list to add a property. Refer to the help below for descriptions of the property and the operator. |
| Group Settings | Specify the group that the logged-in user belongs to as a member. |
| User attribute list | Specifies the attributes of the logging-in user and the conditions for each attribute. |
| Add User Attribute button | “Add Property” popup is displayed on the screen. |
Access environment
| Name | Explanation |
|---|---|
| Network | Specify the IP or network range of the user logging in. The default is “IP address anywhere”.- Desktop- Mobile |
| platform | Specifies the device information of the user logging in. The default is “Any platforms”.- Desktop- Mobile |
| browser | Specifies the browser information of the user logging in. The default is “Any browsers”.- Edge- Chrome- Safari |
| OS | Specifies the OS information for login. The default is “Any OS”.- Windows 10- Windows 11- Android- iOS |
| AND Anomalies (abnormal behavior) | Set the condition to determine whether anomalous behavior is detected during login.The anomalous behavior detection condition can be configured only for tenants that have purchased the Anomalous Behavior Detection (ADM) feature.To use the Anomalous Behavior Detection (ADM) feature, you must select the additional option when contracting for SingleID.If you wish to use the Anomalous Behavior Detection feature, you can purchase it additionally on the SCP product purchase page.After configuring all “WHEN” condition areas, set the login method that will be used when a user matching the condition logs in. |
The selectable user attributes are as follows.
User attribute information
| Attribute name | Data type | Required or not | Explanation |
|---|---|---|---|
| key | String | Required | key |
| username | String | Essential | ID |
| password | GuardedString | Required | Password |
| status | String | Required | status |
| mustChangePassword | Boolean | Required | Force password setting |
| suspended | Boolean | Required | Standby status |
| creator | String | - | Constructor |
| creationDate | Date | - | Creation date |
| lastModifier | String | - | Last editor |
| lastChangeDate | Date | - | Last modified date |
| administrator | Boolean | - | Admin status |
| displayName | String | - | Display name |
| cn | String | - | Common Name |
| local | String | - | Locale (email sending criteria) |
| userSource | String | - | User source |
| syncDate | String | - | Last synchronization time |
| contractNumber | String | - | Contract number |
| contractStartDate | String | - | Contract start date |
| contractEndDate | String | - | Subcontract termination date |
| agreementDate | String | - | Date of required terms agreement |
| accountStartDate | String | - | Account start date |
| accountEndDate | String | - | Account expiration date |
| partnerOrganizationCode | String | - | Partner company code |
| approvalUser | String | - | Approver ID |
| formattedName | String | - | Korean display name |
| familyName | String | - | Korean surname |
| givenName | String | - | Korean name |
| enFormattedName | String | - | English display name |
| enFamilyName | String | - | English surname |
| enGivenName | String | - | English name |
| adDomain | String | - | AD Domain |
| nickName | String | - | Nickname |
| employeeNumber | String | - | Employee ID |
| epId | String | - | EP ID |
| String | - | Email address | |
| phoneNumberWork | String | - | Phone number |
| mobile | String | - | mobile phone number |
| title | String | - | Job Title |
| enTitle | String | - | English job title |
| titleCode | String | - | Rank code |
| entitlement | String | - | Job Title |
| department | String | - | Department name |
| enDepartment | String | - | English department name |
| departmentCode | String | - | Department code |
| organization | String | - | Company name |
| enOrganization | String | - | English company name |
| organizationCode | String | - | Company code |
| region | String | - | base |
| userStatus | String | - | Employee status |
| userType | String | - | Employee type |
| securityLevel | String | - | Security rating |
| preferredLanguage | String | - | Knox language |
| executiveYn | String | - | Executive status |
| timeZone | String | - | Time zone |
| accountLocked | Boolean | - | Forced account lock |
| accountAutoLocked | Boolean | - | Automatic account lock |
| accountDisabled | Boolean | - | Unused account |
| accountSuspended | Boolean | - | Dormant account |
| accountSuspendedTime | Date | - | Dormancy processing time |
| lastLoginTime | Date | - | Last login time |
| accountState | String | - | Account status |
The operators are as follows.
| operator | Explanation |
|---|---|
| Equals | Searches for users whose attribute value matches the condition value. |
| Not Equals | Search for users whose attribute values do not match the condition value. |
| Starts with | Search for users whose attribute value starts with the condition string. |
| Ends with | Search for users whose attribute value ends with the condition string. |
| Contains | Searches for users whose attribute value includes the condition string. |
THEN configuration
THEN Set the login method and procedure in the result area.
You can select one of the two options in the access permission setting (a).
- Deny Access
- Allow Access
Selecting Deny Access will deny login for all users. (The default value for access permission setting (a) is Deny Access.)
To allow users to log in and configure detailed login methods, select Allow Access.
| Name | Explanation |
|---|---|
| Configure access permission | Set whether access is allowed. |
| First login setup | Set the primary login method. Additional login methods can be displayed on the login screen besides the default login method. |
| Additional login settings | Configure it to require an additional login after the initial login succeeds. |
| Terms and Conditions Agreement Settings | When a user logs in to SIngleID for the first time, configure it to display the terms and conditions and request consent. |
| PC SSO Agent Settings | Configure it to use the PC SSO Agent to verify whether a security program (Endpoint Security) is installed on the user’s PC. |
| Save button | Save the modified login rules. |
- From the first login settings selection list, select the Authenticator to use for login.
- If you want users to be able to log in with another Authenticator besides the selected primary login method, select the checkbox (V) of And allow another factors below: and choose one or more Authenticators to add in the text input box.
If you selected Redirected to the external IdP as the method to enter the login screen from the Initial Redirection screen, the primary login settings will not be displayed on the screen.
The first login is performed at an external Identity Provider according to the Initial Redirection settings.
- To have the user log in via multi-factor authentication, select the checkbox (V) in Additional Login Settings, then select one or more Authenticators in the text input field.
- If a user logs in to SingleID for the first time, to display the terms and conditions to the user and require their consent, check the terms and conditions consent checkbox and then select one or more terms or conditions to display on the screen in the text input box.
- To verify whether a security program (Endpoint Security) is installed on the user’s PC using the PC SSO Agent, select the checkbox (V) in the PC SSO Agent settings. 3. When this setting is enabled, login attempts by users without a security program installed on the PC are blocked.
If the PC SSO Agent is not registered, the PC SSO Agent configuration items will not be displayed on the screen.
If you want to require additional authentication instead of blocking the login of users who do not have security software installed on the PC while the PC SSO Agent setting (e) is enabled, select the checkbox (V) below and then choose one or more Authenticators in the text input box.
Click the Save button to register the login rule and return to the rule list.
Rule priority management
If one or more login rules are added, the administrator can set the priority among the login rules. If a user meets the conditions set in multiple rules, the login method is applied according to the rule with the highest priority.
To set the priority of login rules, follow the steps below.
- Drag the ≡ area displayed to the left of the rule name in the rule list with the mouse.
- The priority of login rules is set based on the drag-and-drop position.
- The higher a rule appears in the list, the higher its priority.
Change Policy Status
The status of the login policies managed by SingleID is as follows.
| status | Explanation |
|---|---|
| Active | Login policy operating normally |
| Inactive | Login policy disabled by the administrator |
An administrator can change the status of the login policy according to its current state as follows.
| Current status | Modifiable state | Explanation |
|---|---|---|
| Active | Inactive | Click the Disable button to change an active login policy to an inactive state. |
| Inactive | Active | Activate button can be clicked to change a disabled login policy to an enabled state. You can also delete a disabled login policy. |
Among login policies, the two policies provided by default in SingleID, Admin Portal Policy and Default Policy, cannot be disabled.
If you disable a login policy, applications that were assigned the disabled policy will automatically be reassigned to the default policy (Default Policy).
Disable policy
To disable an active login policy, follow these steps.
- Click the policy you want to deactivate in the policy list to navigate to the policy detail screen.
- Click the Disable button.
- After reviewing the login policy information displayed in the Confirm popup (the number of assigned applications and the number of rules included in the login policy), click the Deactivate button.
If you disable the login policy, applications that were assigned the disabled login policy will automatically be reassigned to the default policy (Default Policy).
Even after reactivating a disabled login policy, the applications that were previously assigned are not automatically reassigned.
Activate policy
To change a login policy from inactive to active, follow these steps.
- Click the policy you want to activate in the policy list to navigate to the policy detail screen.
- Click the Activate button to change the login policy status to active.
Delete policy
Administrators can delete the login policy from SingleID.
To delete the login policy, follow the steps below.
- Click the policy you want to delete in the policy list to navigate to the policy detail screen.
- If the login policy is enabled, click the Disable button to deactivate the policy.
- Click the Delete button displayed at the top right of the disabled login policy.
- A popup screen confirming the deletion of the login policy is displayed.
- To delete a login policy, first verify the policy information, then enter the name of the policy you want to delete and click the Delete button.
Deleted login policies cannot be restored.
When a login policy is deleted, the rules contained within the policy are also deleted, and even if you re-register a login policy with the same name, the deleted rules or configuration information will not be restored.
Access Simulation
When there are many login policies and the rules they contain, it can be difficult to determine which user is governed by which policy for login methods.
SingleID provides an access simulation feature so that administrators can quickly verify the login policies and rules applied to users.
Using the access simulation feature, you can select the user and target application, arbitrarily define the user’s login environment (network, device, browser, OS), and predict in advance which login method the user will experience in each scenario.
Additionally, if there are review requests from users experiencing login difficulties, you can quickly verify using the access simulation feature and modify the problematic policies or rules.
To use the access simulation feature, click the Access Simulation button located at the top right of the login policy list screen.
| Name | Explanation |
|---|---|
| Enter user ID | Enter the user ID of the simulation target. |
| Network Settings | Specifies the IP of the user to simulate. The default is “IP address anywhere”. |
| Platform Settings | Specify the device information of the user to be simulated. The default is “Any platforms”. |
| Browser Settings | Specify the browser information of the user to be simulated. The default is “Any browsers”. |
| OS settings | Specify the OS information of the user to be simulated. The default is “Any OS”. |
| Select Application | Select the application to be simulated. Click the application selection button to display the popup. |
| Run Simulation button | Run the access simulation. |
| Simulation results | Displays the access simulation results on the screen. The login policies and rules applied to the specified user are shown. |
| List button | Return to the login policy list. |
To run the access simulation, follow the steps below.
- Enter the ID of the user to be simulated.
- Specify the IP of the user to simulate. 2. After selecting Specific IP Address, you can manually enter the IP. 2. Enter the IP in the format 123.123.123.123.
- Specifies the device information of the user to be simulated. 3. After selecting Platform, you can select a device from the selection list.
- Specify the browser information of the user to be simulated. 4. After selecting Browser, you can select a browser from the selection list.
- Specify the OS information of the user to be simulated. 5. After selecting OS, you can select the OS from the selection list.
- Click the Application Selection button to select the target application for simulation.
- In the Application Selection popup, click the radio button to the left of the application name to select the application, then click the Add button.
If you want to re-select the application, click the X button to the right of the selected application name, then click the Select Application button again.
- Click the Run Simulation button.
- The access simulation runs, and when it finishes, the login policies and rules are displayed on the screen according to the simulation results as shown below.
Authentication Policy
The administrator needs to change detailed authentication settings according to the organization’s security policy.
SingleID categorizes and manages detailed authentication settings into the following four policies.
- Session Policy
- Authenticator policy
- MFA Service Provider Policy
- Password policy
To access the authentication policy menu, navigate as follows.
- Admin Portal > Policy > Authentication Policy
To modify the authentication policy, click the Edit button at the lower right of the authentication policy screen to change the settings, then click the Save button.
Session Policy
To change the session policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- In the maximum session limit setting, set the maximum number of sessions a user can create simultaneously.
- The minimum value that can be set is 1, and the maximum value is 100. 3. When set to 1, the user can only log in from one browser at a time and cannot log in simultaneously from multiple PCs or browsers.
- In the session priority settings, set the priority of sessions created by the user. 4. The priority can be set to one of the following two options.
- Old session
- New session
When you set the maximum session limit to 1 and select Old session in the maximum session count restriction setting, a logged-in user will have their login blocked when they attempt a new login from another PC or browser that is not logged in.
Also, when the maximum session limit setting (Œ) restricts the maximum number of sessions to 1 and New session is selected, if a logged-in user attempts a new login from another PC or browser that is not logged in, the session of the previously logged-in browser is forcibly expired and the session logged in from the new PC or browser is maintained.
In the maximum session time setting, set the maximum duration a session can be kept.
The maximum session time can be selected from one of the following two options.
- No time limit
- Set time limit
If set to No time limit, a session that has been created will not automatically expire until the user logs out. After configuring Set time limit and setting the time, when the specified time elapses, the session expires and the user is automatically logged out. In the Maximum Idle Session Time setting, set the session’s maximum idle time. If you set the maximum idle session time, the session will expire and the user will be automatically logged out when the user does not make an authentication request for the configured duration.
To save the changed settings, click the Save button at the bottom right of the authentication policy screen.
To avoid saving the changed settings, click the Cancel button at the lower right of the authentication policy screen.
| Name | Explanation |
|---|---|
| Set maximum session count limit | Sets the maximum number of concurrent sessions per user. |
| Session priority setting | When a session exceeds the user’s maximum concurrent session limit, set the priority between the previous session and the new session. |
| Maximum session time setting | Set the maximum session lifetime after the session is created. The session expires when the maximum session lifetime elapses. |
| Maximum idle session time setting | Set the session expiration time for when the user does not make an authentication request to the server for a certain period after the session is created. |
Authenticator policy
To change the Authenticator policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Configure each item as described below.
- When the setup is complete, click the Save button.
| Name | Explanation |
|---|---|
| Available Authenticator settings(for login policy) | Configure an Authenticator that can be used for authentication. |
| Authentication method during registration | When registering the Authenticator, configure the user’s primary verification method. |
| Carry out the following additional authentication | When registering an Authenticator, configure additional identity verification methods to be allowed in addition to the user’s primary verification method. |
| Find Account | Set the authentication method when retrieving the ID. |
| Password reset | Set the authentication method for password recovery. |
| Unlock setting | If a user repeatedly fails authentication while using Authenticators, the ID becomes locked. You can set a duration so that the lockout is automatically cleared after a specified period. |
To remove a specified Authenticator from the available Authenticator settings, it must first be removed from the rules of all login policies.
Configurable Authenticators can be registered in the Add Authenticator menu. 2. Disabled Authenticators cannot be configured in the available Authenticator settings.
If you have not purchased an MFA product
- Available Authenticator Settings (for login policy) is not displayed on this screen.
- If you want to purchase additional MFA products, please contact us via Support Center > Contact Us.
If a user repeatedly enters an incorrect password, fails to log in, and becomes locked out, the lock will not be released even after a certain amount of time has passed. 1. Configure lock and unlock methods based on the password in the Password Policy.
If you reset a user’s password in the User menu, you can unlock a locked user before the unlock wait time expires. 2. Please refer to password reset.
MFA Service Provider Policy
To change the MFA Service Provider policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Refer to the table below and configure each item accordingly.
- When the setup is complete, click the Save button.
| Name | Explanation |
|---|---|
| Available Authenticator settings (for MFA Service Provider) | Set the Authenticator that the user can use when an authentication request occurs from the MFA Service Provider. |
| Terms and Conditions Options | When a user registers from the MFA Servicce Provider, you can show the terms and conditions and obtain the user’s consent. |
| Unlock setting | When an authentication request occurs from the MFA Service Provider and the user repeatedly fails authentication, the ID becomes locked. You can set a time so that the locked user’s lockout is automatically cleared after a certain period. |
To remove a specified Authenticator from the available Authenticator settings, it must first be removed from all MFA Service Providers.
Configurable Authenticators can be registered from the Add Authenticator menu. 2. Disabled Authenticators cannot be set in the available Authenticator settings.
If a user authenticates with the MFA Service Provider for the first time, to configure the system to display terms and conditions to the user and require the user’s consent, check the terms and conditions option checkbox and then select one or more terms or conditions to display on the screen in the text input box.
If a user authenticating with the MFA Service Provider repeatedly fails authentication, the user’s ID becomes locked. 4. To automatically release the locked state after a certain period, set the unlock wait time in the unlock settings.
Password policy
To change the password policy, follow the steps below.
- Click the Edit button at the lower right of the authentication policy screen.
- Refer to the table below and configure each item accordingly.
- When the setup is complete, click the Save button.
| Name | Explanation |
|---|---|
| Password history | You can configure the system to prevent reuse of previously used passwords. Specify the number of recent passwords to prevent reuse. users will be unable to use the number of previously used passwords set above. |
| Password expiration | Specify the password validity period. After the validity period expires, you must change the password to log in. You can set it from 1 day up to 365 days. |
| Password lock | If the password is entered incorrectly repeatedly, the user’s ID will be locked. Specify the number of allowed repeated entry failures.
|
| Pattern and Complexity | Set the minimum password length, required characters, numbers, etc. |
| Set minimum character count | Specifies the minimum password length. |
| Set minimum number of letters | Specifies the minimum number of alphabetic characters to include in the password. |
| Minimum number of digits setting | Specifies the minimum number of digits to include in the password. |
| Set minimum number of special characters | Specifies the minimum number of special characters to include in the password. |
| Set maximum character count | Specifies the maximum password length. |
| Allow using the user ID as the password. | Set whether to allow the user’s ID to be included in the password. |
Sign-up Policy
If you want to allow user registration, enable the sign‑up policy, and users other than those provisioned from the HR system or IdP can also be registered. Through account synchronization, it provides the ability to register, create, modify, and delete accounts, as well as to invite users via the login screen or email.
To enable and use the registration policy, follow the steps below.
- Admin Portal > Policy > Sign‑up Policy click.
- Enable User Registration Allowed.
- If you enable it, the Policy tab and User Invitation tab will appear.
- Review the descriptions of the Policy tab and the User Invitation tab below, and configure the policy.
- When the setup is complete, click the Save button.
Policy
You can configure general policies for member registration.
| Name | Explanation |
|---|---|
| Display the sign‑up link on the login screen | Display a sign‑up link on the SingleID login screen.
|
| Terms and Conditions Options | Select the option to agree to terms and conditions during sign‑up. During sign‑up, you can select and apply terms and conditions separately. |
| Allow sign‑up invitations | When the feature is enabled, you can invite users via email. You can configure it so that only invited users can sign up, rather than using a separate registration page. With this setting, registration through the SingleID sign‑up link is not possible. |
| Sign-up input form | Configure the user attributes to be collected during registration. You can also specify whether each attribute is required. |
| ID duplicate prevention setting | When enabled, a suffix is added to the ID to prevent duplicate IDs. |
| This setting prevents duplicate IDs for automatically provisioned accounts. Since there are often cases where the ID values are the same, we recommend configuring it. When you sign up through registration, the corresponding PostFix value is appended to the ID. | |
| Maximum usage period | The maximum usage period is set after registration. It can be set from day 1 to day 2000. |
| Approval upon sign‑up request | When a sign-up request is submitted, you can enable the approval setting to load and apply the registered approval policy. |
Dormant User Policy
Provides a function to set users who have not used the SingleID system for an extended period to a dormant status. Users who have been changed to a dormant state can be configured, according to settings, to allow either self-recovery by the user or recovery by an administrator.
To enable and use the dormant user policy, follow the steps below.
- Admin Portal > Policy > Human User Policy Click.
- Human User Policy Activation Click the toggle button.
Additional settings are shown in the table below.
| Name | Explanation |
|---|---|
| Criteria for setting a user as dormant | This setting converts users who do not log into SingleID for N days into dormant users. It can be set from 1 day up to 365 days. |
| Send notification email | This setting sends notification emails to users starting N days before the dormant state. Additionally, you can also select the option to send notification emails to users when changing to the dormant state. |
| User exempt from dormant status change | You can click the Add button to add an exception user to change to dormant status. |
| Dormant State Exception Group | You can set exceptions for users included in the group. |
| Long-term human user management | This feature automatically deletes the user account after it has been changed to a human user. It can be set for up to 1 to 365 days. - You can configure it to send a reminder email N days before deleting the user (1 to 30 days) - You can set it to send a notification email to the user when their information is deleted. |
| Allow dormant users to directly restore their status. | Enabling the option allows dormant users to restore their status to active themselves. Dormant users can change their status to active by resetting their password through “Password Reset”. |
Approval Policy
The administrator can select an approval system and, depending on the type, configure sign‑up and app‑access policies across various approval lines. Various approval policies allow flexible application whenever the security policy changes.
Approval can be performed using either the built-in approval system feature or the Knox Portal approval system. If integration with another approval system is required, please request it via a 1:1 inquiry.
To check the approval policy, follow the path below.
- Admin Portal > Policy > Approval Policy
Approval policy list
The administrator can select an approval system and, depending on the type, configure sign‑up and app‑access policies across various approval lines. It can be flexibly applied whenever the security policy changes, using various approval policies.
| Name | Explanation |
|---|---|
| ID | This is an automatically generated ID when creating an approval policy. |
| Approval system | It is distinguished by SingleID and Knox Portal. If registration with another approval system is needed, please request it through a 1:1 inquiry. |
| type | It is divided into app access and sign-up. |
| status | This is the approval policy status. If unavailable, you must change the approver and notifier. |
| Approval use | It is categorized as in use and not in use. When you click the Details button, you can view applications where the approval policy is used. |
Register approval policy
When you click the Register button, you can set the approval system, type, approver, notification method, and approval period.
| Name | Explanation |
|---|---|
| Approval system | Two options are available.
|
| type | Two options are available.
|
| Approver | Select and register the approver and the notifier. |
| Notification method | When an approval request is received by the approver or notifier, select the notification method. |
Anomaly Detection Policy
SingleID provides a function that collects and analyzes user behavior information before and after authentication in real time to determine whether there is abnormal authentication behavior, and if identified as belonging to an abnormal authentication category, immediately notifies the user of the risk.
To access the Anomaly Detection Policy menu, navigate as follows.
- Admin Portal > Policy > Anomalous Activity Detection Policy
User lifecycle management
User lifecycle management provides configuration functions for setting default values when a user is created or registers, and for extending the user account usage period.
To enable and configure user lifecycle management, refer to the following.
Onboarding (subscriber)
Set the phone country code, language, and time zone when creating a user and signing up. To configure, click the Edit button at the bottom right to make changes.
Offboarding (departed user)
Users can request an account usage period extension, and it can be configured to allow the maximum possible extension.
- When requesting a user usage period extension, click the Activate toggle.
- Enter N days for the maximum extendable period.
- Click the Change button in the usage period request approval to set the approver.
Conditional Authentication Policy
Conditional authentication policies can set rules to match the environment, settings, and individual circumstances of user accounts.
You can set the following rules.
| Name | Explanation |
|---|---|
| Use multiple authenticators | Users who have relied on a single authentication method for an extended period must additionally verify their identity using a different type of authentication tool. |