Skip to content

2FA + SSO

2FA + SSO helps administrators tighten sign-in security for the whole company. Use it to ask staff to enroll in authenticator-app two-factor authentication, record the grace period for rollout, and save identity-provider details for a future SSO launch.

When to use this

Use 2FA + SSO when you want a central place to manage account security expectations before inviting more office staff, dispatchers, managers, or technicians into ToolbagCRM.

This plugin is most useful when:

  • Your company wants every staff user to set up an authenticator app.
  • You need a grace period before enforcing a new security policy.
  • You want to collect Okta, Google Workspace, Microsoft Entra, or generic OIDC/SAML provider details ahead of full SSO sign-in support.

Before you start

  • Confirm the plugin is included in your plan.
  • Open Settings → Features and make sure 2FA + SSO is enabled.
  • Sign in as an Administrator. Organization-wide 2FA and SSO settings are hidden from non-admin users.
  • Ask staff to install an authenticator app before you begin the rollout. SMS and email-code methods are labelled as coming soon in the current product.

What is available now

AreaCurrent behavior
Staff 2FA enrollmentEach user can set up authenticator-app 2FA from Settings → Security.
Organization 2FA policyAdministrators can turn on Require 2FA for all staff, choose a grace period, and keep authenticator-app enrollment enabled.
SMS or email codesShown as coming soon and disabled in the current settings screen.
SSO providersAdministrators can save provider records for Okta, Google Workspace, Microsoft Entra, or generic OIDC/SAML.
SSO sign-in enforcementComing soon. Saved provider details do not replace email-and-password sign-in yet.

Set the 2FA policy

  1. Go to Settings → Features.
  2. Enable 2FA + SSO if it is not already enabled.
  3. Go to Settings → Security.
  4. In Organization security, review Two-factor policy.
  5. Turn on Require 2FA for all staff when you are ready to record the company policy.
  6. Set the Grace period to the number of days staff should have to enroll.
  7. Confirm the page shows Saved before leaving the screen.

The current product records this policy and grace period. If your team still needs to enroll, tell them to use the individual 2FA setup area at the top of Settings → Security.

What staff see after enforcement

When the organization policy requires 2FA and a staff member is past the grace period, ToolbagCRM sends them to a gated enrollment screen instead of the dashboard. They add ToolbagCRM to an authenticator app, enter the 6-digit code, confirm the setup, and then save one-time recovery codes before signing in again. After enrollment, future sign-ins ask for the authenticator code during the normal login flow.

Add an SSO provider record

  1. In Settings → Security, find Single sign-on.
  2. Select Add provider.
  3. Enter a display name such as Company Okta or Google Workspace.
  4. Choose the provider type.
  5. Add the identity-provider details your IT team has available.
  6. Save the provider.

Provider records can be edited or deleted later. ToolbagCRM currently stores these details so the account is ready when SSO sign-in becomes generally available.

Provider details to collect

Use the provider form as an IT handoff checklist before you start. The fields change based on the provider type you select:

Provider typeDetails to collect
Google Workspace (SAML), Okta (SAML), or Microsoft Entra / Azure AD (SAML)Display name, Entity ID/Issuer, Metadata URL, ACS URL, and signing certificate in Base64 format.
Google (OIDC), Microsoft (OIDC), or Generic OIDCDisplay name, Client ID, Authorize URL, and Token URL.

Every provider also has an Enabled switch. Mark required for staff is stored on the provider record but is labelled coming soon, so do not treat it as live SSO enforcement yet.

Tips

  • Announce the rollout before turning on a required policy so technicians have time to install an authenticator app.
  • Keep at least one administrator account enrolled and tested before asking the rest of the team to enroll.
  • Use a short display name for provider records so office staff can recognize the identity provider later.
  • Collect SAML metadata URLs, issuer/entity IDs, signing certificates, or OIDC client details from IT before opening the provider modal.
  • Review provider records after IT changes certificates, client IDs, domains, or identity-provider metadata.

Troubleshooting

I do not see Organization security

Make sure 2FA + SSO is enabled under Settings → Features and that you are signed in as an Administrator. Non-admin users can manage their own 2FA enrollment, but they cannot change company-wide policy or provider records.

SMS and email code switches are disabled

That is expected in the current product. Authenticator-app 2FA is the available method; SMS and email codes are marked as coming soon.

Adding a provider does not change the login screen

SSO sign-in is not generally available yet. Adding a provider stores the configuration for rollout planning, but staff continue signing in with email and password until SSO enforcement is released.

Built for contractors and home-service businesses.