Authentication

Authentication is a top-layer security requirement, as it establishes the identity and credentials for the users to access the system. Access to Meridian Cloud requires authentication via one of the supported protocols, including SAML 2.0 and OpenID Connect.

Tenant administrators can configure one additional identity provider to support their business operations. Meridian Cloud utilizes authentication to manage user accounts, invite tenant users, manage session timeouts, and control role/group-based access.

Note:

If you use Meridian Cloud in Incognito mode in Chrome, disable the Block third-party cookies option when setting this mode. If this option is enabled, your work will be interrupted because the page will refresh constantly, requiring you to re-authenticate.

ClosedAuthentication Types

Meridian Cloud supports a variety of authentication providers, including Google, Microsoft, and Azure AD authentication. OAuth 2 compatible authentication can be configured to allow single sign-on (SSO) and Multifactor authentication (MFA) scenarios, if required.

SAML is a standardized way to confirm the identity of a user to Meridian Cloud. SAML provides a way to authenticate a user once and communicate that to Meridian Cloud, making sign-on (SSO) possible.

Meridian Cloud does not manage any login user names and passwords. Only the identity providers handle this information.

If you have both Not For Production (NFP) and Production (PRD) environments, you only need to configure Azure AD authentication once on the Azure AD side and for each tenant in Meridian, pointing towards the single SAML configuration.

ClosedSocial Login Options

The following social login options are available:

  • Google Authentication provider – option to authenticate with a Google account. Use a company email address

  • Microsoft Authentication provider – option to authenticate with a Microsoft Outlook or Microsoft Live account

ClosedCorporate Login Options

The following corporate settings are available:

ClosedTenant User Invitations

Meridian Cloud has the following functionality related to inviting tenant users:

  • You can force the user to use the email that their invitation was sent to as their email address in Meridian Cloud. See Configure Email Verification.

  • Users can have multiple authentication methods linked to a single user account. When the user signs in, Meridian Cloud looks up the email address they provide. Meridian Cloud then matches that email address against the account.

    Note:

    If a user's email address changes after configuring single sign-on (from on-premises Exchange to Office 365, for example), they will no longer be able to access Meridian Cloud. Any existing work will remain assigned to the account associated with their old email address.

    If the user's email address needs to be corrected, the Tenant Administrator must delete all identities related to the user and send them a new invitation. The user can then enter the correct email address and proceed with authentication.

  • To prevent authentication conflicts, each user must have a unique username.

Configure Email Verification

Important!

We strongly recommend you invite users using their company email address.

Inform new users that they should not include special characters in their name. Special characters can cause errors when working with a user's local workspace.

To configure email verification:

  1. On the Meridian Portal Landing page, at the bottom of the navigation bar, click the Account Settings icon A gear symbol..

    The Account Settings page appears.

  2. In the menu, click Authentication.

    The Authentication page appears and lists the current status of all IDPs.

  3. In the Email Verification group, choose one of three options:

    • Allow registration with any email address.

    • Warn tenant user when email address differs from invitation email address.

    • Deny tenant user to register with other email address than invitation address.

      If you select this option and a user attempts register with a different email address, they will be prompted to provide additional information before they can complete registration.