The Security tab in Settings gives administrators full control over how users log in and how the platform is protected from unauthorized access. You can choose which authentication methods are available, limit logins to approved IP addresses, and require two-factor authentication for everyone in the system.
Only administrators, system technician and user-defined users with access to security settings can view and edit this page.
Login Options
Go to Settings > Security. Under Login options, you'll find four toggles:
Login with password: The default method. Users sign in with their email and a password. Passwords are securely stored and must meet complexity requirements (one uppercase, one lowercase, one number, one symbol).
Login with Google: Allows users to authenticate using their Google account via OAuth 2.0.
Login with Microsoft: Allows authentication through Microsoft Azure Active Directory via OAuth 2.0.
Login with SAML: Enables SSO through a SAML 2.0 identity provider of your choice, such as AWS, Okta, Google Workspace, Microsoft Azure, or Ping Identity.
Login option SAML 2.0 is available only on the Advanced plan.
You can enable multiple methods at once or restrict users to a single method. If you enable Google or Microsoft login, users will see those options directly on the login page. If you enable SAML, see the dedicated SAML setup guide for the full configuration steps.
If you enable SSO (Google, Microsoft, or SAML), you can fully disable password-based login so that users can only sign in through your identity provider. Consider your organization's IT setup before disabling password login.
Configuring SAML Login
When you enable Login with SAML, four additional fields appear that are needed to connect Whistleblower Software to your identity provider:
Service provider metadata file: Click Download to get the metadata file for Whistleblower Software. Share this with your IT team or upload it directly into your identity provider's configuration.
Application ACS URL: This is the callback URL your identity provider sends users back to after authentication. Copy this and paste it into the ACS URL field in your identity provider's settings.
Application entity ID: A unique identifier for Whistleblower Software within your identity provider. Copy this and enter it as the entity ID or audience URI in your identity provider's settings.
Identity provider metadata file: Once your identity provider is configured, download the metadata XML file from your identity provider and upload it here to complete the connection.
Users must be created in Whistleblower Software before they can sign in via SAML. Creating a user in your identity provider alone is not enough.
Whitelisting IP Addresses
Scroll to the Security section. In the Whitelisted IP addresses for login field, enter the IPv4 addresses from which users are permitted to log in. Once an address is added, only logins from those IPv4 addresses will be allowed. This is useful for organizations that want to limit all login activity to a specific network, such as a company office or VPN.
If you're unsure which IPv4 addresses to whitelist, contact your IT team before making changes.
If you add an incorrect IPv4 address, you may lock yourself out of the system. Double-check all entries before saving.
Enforcing Two-Factor Authentication
The Require two-factor authentication toggle forces all users in your system to set up 2FA the first time they sign in. Once enabled, users who haven't configured 2FA will be prompted to do so before they can access their account.
We strongly recommend enabling this for all organizations. Even if a password is compromised, 2FA prevents unauthorized access by requiring a second verification step.
We’re here to support you. If you have questions reach out to us directly via the Messenger icon in the bottom right corner of your screen, or send us an email at support@whistleblowersoftware.com.