Authentication
Authentication is a top-layer security requirement, as it establishes the identity and credentials for the users to access the system. Access to Meridian Cloud requires authentication via one of the supported protocols, including SAML 2.0 and OpenID Connect.
Tenant administrators can configure one additional identity provider to support their business operations. Meridian Cloud utilizes authentication to manage user accounts, invite tenant users, manage session timeouts, and control role/group-based access.
If you use Meridian Cloud in Incognito mode in Chrome, disable the Block third-party cookies option when setting this mode. If this option is enabled, your work will be interrupted because the page will refresh constantly, requiring you to re-authenticate.
Authentication Types
Meridian Cloud supports a variety of authentication providers, including Google, Microsoft, and Azure AD authentication. OAuth 2 compatible authentication can be configured to allow single sign-on (SSO) and Multifactor authentication (MFA) scenarios, if required.
SAML is a standardized way to confirm the identity of a user to Meridian Cloud. SAML provides a way to authenticate a user once and communicate that to Meridian Cloud, making sign-on (SSO) possible.
Meridian Cloud does not manage any login user names and passwords. Only the identity providers handle this information.
If you have both Not For Production (NFP) and Production (PRD) environments, you only need to configure Azure AD authentication once on the Azure AD side and for each tenant in Meridian, pointing towards the single SAML configuration.
Social Login Options
The following social login options are available:
-
Google Authentication provider – option to authenticate with a Google account. Use a company email address
-
Microsoft Authentication provider – option to authenticate with a Microsoft Outlook or Microsoft Live account
Corporate Login Options
The following corporate settings are available:
-
Azure AD (OpenID Connect) – standard option
With the Azure AD authentication option within Meridian Cloud, a user can authenticate via your corporate Azure AD instance using the OpenID Connect Protocol.
To allow Meridian Cloud to read user profiles from your Azure AD instance, an Azure AD Administrator must first provide consent to the Meridian Cloud Azure AD App. The application only requires limited permissions to read user profile information, such as their email address.
Your Azure AD administrator can find an application named M360 within the list of registered apps and further configure user access if required.
For details on User and Admin Consent, or configuring additional User Access for an Azure AD App, please see the following Microsoft documentation:
-
SAML – option to configure a third-party identity provider
See Configure a Third-Party Identity Provider and Configure Active Directory For Single Sign-On to learn how to implement this option.
Tenant User Invitations
Meridian Cloud has the following functionality related to inviting tenant users:
-
You can force the user to use the email that their invitation was sent to as their email address in Meridian Cloud. See Configure Email Verification.
-
Users can have multiple authentication methods linked to a single user account. When the user signs in, Meridian Cloud looks up the email address they provide. Meridian Cloud then matches that email address against the account.
Note:If a user's email address changes after configuring single sign-on (from on-premises Exchange to Office 365, for example), they will no longer be able to access Meridian Cloud. Any existing work will remain assigned to the account associated with their old email address.
If the user's email address needs to be corrected, the Tenant Administrator must delete all identities related to the user and send them a new invitation. The user can then enter the correct email address and proceed with authentication.
-
To prevent authentication conflicts, each user must have a unique username.
Configure Email Verification
We strongly recommend you invite users using their company email address.
Inform new users that they should not include special characters in their name. Special characters can cause errors when working with a user's local workspace.
To configure email verification:
-
On the Meridian Portal Landing page, at the bottom of the navigation bar, click the Account Settings icon .
The Account Settings page appears.
-
In the menu, click Authentication.
The Authentication page appears and lists the current status of all IDPs.
-
In the Email Verification group, choose one of three options:
-
Allow registration with any email address.
-
Warn tenant user when email address differs from invitation email address.
-
Deny tenant user to register with other email address than invitation address.
If you select this option and a user attempts register with a different email address, they will be prompted to provide additional information before they can complete registration.
-