SSO & OTP Technical Configuration Guide SSO & OTP Technical Configuration Guide
  1. Wildmoka
  2. Security
  3. Security

SSO & OTP Technical Configuration Guide

Security

This document outlines the mechanics of the Wildmoka One-Time Password (OTP) system and the technical requirements for Single Sign-On (SSO) integration.

 

1. OTP & MFA Security Mechanics

Wildmoka utilises an OTP system as a Multi-Factor Authentication (MFA) layer to protect user accounts. This ensures that even if a password is compromised, unauthorised users cannot access the system without access to the registered email account.

Trigger Logic: When is OTP Required?

By default, the system is set to AUTO mode. The trigger depends on the following:

  • Authentication Method: OTP applies only to non-SSO logins (email/password). We assume SSO providers manage their own MFA protocols.
  • IP Reputation: In AUTO mode, the system triggers an OTP request only if the user’s IP address is flagged as "suspicious" by our third-party intelligence partner.
  • Tenant Settings: While AUTO is the default, a tenant can be configured to ALWAYS require OTP for every non-SSO login, or OFF (not recommended).

Session Management & Frequency

  • Session Duration: Wildmoka session cookies expire after 30 days.
  • Re-authentication: A user is typically prompted for login every 30d, then OTP depends on the configuration.

 

2. SSO Integration (SAML 2.0)

To initiate the integration, please provide either your XML Metadata file or your Entity ID (pointing to the URL from which the metadata can be downloaded).

Supported Attribute Name Formats

Wildmoka supports the three primary SAML attribute name formats:

  1. urn:oasis:names:tc:SAML:2.0:attrname-format:basic
  2. urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
  3. urn:oasis:names:tc:SAML:2.0:attrname-format:uri

Required SAML Attributes

We expect the following attributes to identify users:

AttributeStatusDescription
emailMandatoryMust be sent as a custom attribute (distinct from NameID).
first_nameRecommendedUser’s given name.
last_nameRecommendedUser’s surname.
wm_profile_nameOptionalString containing the user profile.
wm_profiles_listOptionalList of strings containing user profiles.
wm_profiles_strOptionalUser profiles separated by semicolons.

We support SAML 2.0 and JIT Provisioning. 

We don’t support OAuth 2.0, OIDC, and SCIM Provisioning.

 

3. Disabling OTP

While possible, Wildmoka strongly advises against disabling OTP. Removing this layer means that a compromised password grants immediate access to your environment, creating a security risk to your data and the platform.

  • For all users within your system: Can be disabled upon request, but removes the final line of defence for password-based logins.
  • For an individual user: Can be disabled for specific accounts (e.g., automated service accounts) by requesting this from your Backlight representative.