★ Application Authentication and Security
VenueOps uses AWS Cognito as an identity provider. This allows you the option to authenticate users in VenueOps or by using single sign-on and your own identity provider.
Authentication in VenueOps
When you use the VenueOps standard authentication, users will log in with their email address and a password which they create. When users log in for the first time, they are sent a temporary password to confirm that they are the owners of that email account. All users must have a unique email, and for security reasons we do not recommend that users share VenueOps accounts.
For an additional layer of security, users are also able to set up multi-factor authentication (MFA) on their accounts. At this time, admins are not able enforce MFA use, although they are able to see which users have enabled it.
Authentication via Single Sign-On
Single sign-on (SSO) eliminates the need for users to keep up with a separate password for VenueOps by allowing them to authenticate through their organization's identity provider. Once a user has authenticated through their identity provider, SSO is able to use that information to authenticate VenueOps. This also allows you to enforce stricter password policies than VenueOp and enforce multi-factor authentication.
VenueOps provides integration to a wide range of identity providers, including:
- Azure AD
- Active Directory
- Google Workspace
There are several technical requirements for Single Sign-on (SSO):
- Your identity provider supports SAML 2.0.
- Your identity provider must be able to provide a Federation Metadata URL (file uploads are not currently supported).
- You have a dedicated IT department that can support the needs of a single sign-on system. Your IT department will need to handle federated identity for all users (guest, contract, and full-time employees).
- Some venues have third-party vendors who access VenueOps. If you wish to do this and use SSO, you may have to modify your work directory in your identity provider to handle guest users and users who use personal email accounts.
- VenueOps accounts require unique email addresses, and the email address of the user account in VenueOps must match the email address of the user in your identity provider. This is a 1:1 map of email addresses.
- For Azure Active Directory/Active Directory Accounts: You will need to confirm that there are no current users who use their UPN and their SMTP Proxy Address/User Mail Nickname to have two logins to two different accounts in VenueOps. If they do, then the IT Department will need to determine whether UPN or the SMTP Proxy Address/User Mail Nickname is the appropriate mapping attribute.