When a users logs in to their account in Talos Perform, they must be authenticated and authorised. This page outlines the process that's involved and what options there are for clients.

Users can log in to Talos Perform using several means:

The "Log in with..." buttons use proprietary code from Google and Microsoft. These mechanisms make use of the standard and trusted identity endpoints from those vendors.

Each user in Talos Perform has a unique email address. This, combined, with a password, can be used to authenticate the user. Once authenticated, the user's roles are determined from the database: Employee/Manager, Administrator, Moderator, Form Designer, Configuration. These roles are set by other Configurators. See our help page on roles and permissions for more information.

When user is first added to Talos Perform, they are not assigned a password. Instead, they must use the registration procedure to create their own password that complies with the account's password policy.

The user's password must comply with the account's password policy. As a client of Talos Perform, you can determine the appropriate policy for your users (subject to certain minimums enforced as part of our ISO27001 standard). You can set the policy in your Configuration area. You can determine the following:

You can also set a maximum number of login attempts before the account is locked. The account can be unlocked by resetting the password.

The user can reset their own password by requesting a reset link to be sent to their email address. When they click the link, the user is taken to a page where they can enter and confirm a new password that complies with the account's password policy.

Administrators can also send password reset links on behalf of the user, but only the user with access to the email address may go on to set a new password using this process.

Talos Perform uses the SAML2.0 protocol to enable single sign on from an approved identity provider. Users are authenticated according to a unique ID/username or email address.

When SSO is enabled, email and password login is typically disabled. However it is possible to allow both means of authorisation if desired. See our help page on SSO for more information.

Talos Perform does not provide its own MFA support because this is typically provided by the client as part of their SSO authentication process. In other words, if you log in to Talos Perform using your Microsoft Entra SSO configuration, you should configure your Microsoft Entra to conduct the MFA test prior to sending the SAML response to Talos Perform.

Some large organisations are only able to provide SSO for a subset of users, so it's possible in Talos Perform to specify the means of authentication (username/password vs SSO) down to user level.