SSO & two-factor

For organizations on the Enterprise plan, Momentumpro supports SAML / Google Workspace SSO and organization-wide two-factor authentication.

Single Sign-On (SAML)

Admin → Authentication → SAML.
Click Add Identity Provider.
Pick from presets:
- Google Workspace
- Microsoft Entra (Azure AD)
- Okta
- Generic SAML 2.0
Follow the on-screen guide to:
- Create the application in your IdP.
- Copy your IdP's metadata URL into Momentumpro.
- Copy Momentumpro's ACS URL and Entity ID into your IdP.
Test the connection.

Once enabled, the login page shows:

You can hide the email/password form entirely under Advanced to enforce SSO-only.

When a user signs in via SSO:

The platform looks for an existing user with the matching email.
If found, links the SAML identity to that user.
If not found, the behavior depends on your JIT provisioning setting:
- Off (default) — sign-in fails with "User not found". HR creates the user manually first.
- On — auto-creates a user with the basics from the SAML attributes.

For institutional control, keep JIT off and pre-create users via HR.

Any user can enable 2FA on themselves:

Admins can require 2FA for all users:

Admin → Authentication → Two-factor.
Tick Require 2FA for all users.
Pick a deadline — users have until this date to enable it.
After the deadline, anyone without 2FA is blocked from signing in until they enable it.

If a user loses their 2FA device:

They can use one of their recovery codes (one-time use).
Or an Admin can reset 2FA on their account, which removes the requirement and asks them to set up again on next login.

The reset is logged in the audit log.

Every sign-in attempt is recorded:

Each entry shows: timestamp, IP, location (city/country), browser, success/failure.