Security Settings
Configure authentication, session management, and security policies for your Hublvu organization.
Authentication
Password Policies
Configure password requirements for users who don't use SSO:
- Go to Security Settings
- Navigate to Password Policy
- Configure:
- Minimum length
- Complexity requirements (uppercase, numbers, symbols)
- Password expiration period
- Password history (prevent reuse)
- Save
Single Sign-On (SSO)
Integrate with your identity provider for centralized authentication.
Supported Providers
- SAML 2.0 (Okta, Azure AD, OneLogin, etc.)
- OAuth 2.0 / OIDC (Google, Azure AD, etc.)
SAML Configuration
- Go to Security Settings > SSO
- Select SAML 2.0
- Enter:
- Entity ID — Your IdP's entity identifier
- SSO URL — Login endpoint
- Certificate — IdP's signing certificate
- Download Hublvu's metadata to configure your IdP
- Test the connection
- Enable SSO
OAuth/OIDC Configuration
- Go to Security Settings > SSO
- Select OAuth 2.0 / OIDC
- Enter:
- Client ID — From your OAuth provider
- Client Secret — From your OAuth provider
- Authorization URL — Provider's auth endpoint
- Token URL — Provider's token endpoint
- Scopes — Required scopes (typically
openid profile email)
- Test the connection
- Enable SSO
Testing SSO
Before enabling for all users:
- Click Test Connection
- Complete authentication in the popup
- Verify user information is correct
- If successful, enable SSO
Multi-Factor Authentication (MFA)
Add a second authentication factor for enhanced security.
Configuration Options
| Setting | Description |
|---|---|
| Disabled | MFA not available |
| Optional | Users can enable MFA themselves |
| Required | All users must use MFA |
Supported Methods
- Authenticator apps (Google Authenticator, Authy, etc.)
- SMS verification (if configured)
Enabling MFA
- Go to Security Settings > MFA
- Select enforcement level
- Configure allowed methods
- Save
Users are prompted to set up MFA on their next login (if required).
Session Management
Session Timeout
Configure how long inactive sessions remain valid:
- Go to Security Settings > Sessions
- Set Idle Timeout (e.g., 30 minutes)
- Set Maximum Session Duration (e.g., 8 hours)
- Save
Concurrent Sessions
Control whether users can be logged in from multiple locations:
| Setting | Behavior |
|---|---|
| Allow | Multiple simultaneous sessions permitted |
| Warn | User notified of other active sessions |
| Prevent | New login terminates existing sessions |
Session Termination
Administrators can force logout:
- Go to User Management
- Select user
- Click Terminate Sessions
All active sessions for that user end immediately.
API Security
API Keys
For programmatic access to Hublvu:
- Go to Security Settings > API Keys
- Click Create API Key
- Enter:
- Name (for identification)
- Permissions scope
- Expiration (optional)
- Copy the key (shown only once)
Key Management
- View active keys and their last used time
- Revoke keys that are no longer needed
- Set expiration for temporary access
IP Allowlisting
Restrict access to specific IP addresses:
- Go to Security Settings > IP Allowlist
- Add allowed IP addresses or CIDR ranges
- Enable allowlisting
Enabling IP allowlisting blocks access from all other IPs. Ensure you include your own IP before enabling.
Security Events
Security-related events are automatically logged:
- Failed login attempts
- Password changes
- MFA enrollment/removal
- SSO configuration changes
- Session terminations
- API key creation/revocation
View these in Audit Logs.
Best Practices
SSO centralizes authentication in your identity provider, improving security and user experience.
At minimum, require MFA for users with administrative access.
Balance security with usability. Aggressive timeouts frustrate users; long timeouts increase risk.
Rotate API keys periodically. Set expiration dates for temporary integrations.
Watch for patterns of failed login attempts that may indicate an attack.
Related Topics
- User Management — Manage users and groups
- Roles & Permissions — Access control
- Audit Logs — Security event tracking