Momentus Elite uses AWS Cognito as an identity provider. This allows you the option to authenticate users in Elite or by using single sign-on and your own identity provider.
Authentication in Momentus Elite
When you use the Elite standard authentication, users will log in with their email address and a password which they create. When users log in for the first time, they are sent a temporary password to confirm that they are the owners of that email account. All users must have a unique email, and for security reasons we do not recommend that users share Elite accounts.
For an additional layer of security, users are also able to set up multi-factor authentication (MFA) on their accounts. At this time, admins are not able enforce MFA use, although they are able to see which users have enabled it.
Authentication via Single Sign-On
Single sign-on (SSO) eliminates the need for users to keep up with a separate password for Elite by allowing them to authenticate through their organization's identity provider. Once a user has authenticated through their identity provider, SSO is able to use that information to authenticate Elite. This also allows you to enforce stricter password policies than Elite and enforce multi-factor authentication.
Elite provides integration to a wide range of identity providers, including:
- Azure AD
- Active Directory
- Google Workspace
There are several technical requirements for Single Sign-on (SSO):
- Your identity provider supports SAML 2.0.
- Your identity provider must be able to provide a Federation Metadata URL (file uploads are not currently supported).
- You have a dedicated IT department that can support the needs of a single sign-on system. Your IT department will need to handle federated identity for all users (guest, contract, and full-time employees).
- Some venues have third-party vendors who access Elite. If you wish to do this and use SSO, you may have to modify your work directory in your identity provider to handle guest users and users who use personal email accounts.
- Elite accounts require unique email addresses, and the email address of the user account in Elite must match the email address of the user in your identity provider. This is a 1:1 map of email addresses.
- For Azure Active Directory/Active Directory Accounts: You will need to confirm that there are no current users who use their UPN and their SMTP Proxy Address/User Mail Nickname to have two logins to two different accounts in Elite. If they do, then the IT Department will need to determine whether UPN or the SMTP Proxy Address/User Mail Nickname is the appropriate mapping attribute.