Configure security settings
You can define the way users are allowed to access your instance on the Security Settings page, accessed via the Admin menu.
Configure SSO (SAML)
You can configure your xMatters deployment to work with SAML (Security Assertion Markup Language). For complete instructions on how to configure SSO for your instance, see Configure Single Sign On with SAML.
Set the password policy
When you create a new account, your password must follow xMatters' default password requirements.
You can set the web/app login password and mobile app passcode requirements for a company using the Security Settings page. The settings on this page determine the rules each user in a company must follow when resetting or changing their login password or passcode.
The password policy settings apply to user web/app logins only; they are not enforced for users added via the Data Synchronization and User Upload features. You can force the expiry and reset of a user's password; for details, see Control a user's access.
To set the web/app login password policy:
- In the Admin menu, under Configuration, click Security Settings.
- xMatters displays the current web/app login password policy settings:
- Enter the following information:
Field |
Description |
Password Requirements |
Specifies how complex users’ passwords must be; select any of the following options:
|
Unique History |
Specifies how many passwords xMatters stores for each user. Users cannot reuse a password until they have consecutively created as many unique new passwords as indicated in the field.
|
Minimum Length |
Minimum number of characters required for each password. (Passwords in xMatters cannot exceed 30 characters.) |
Maximum Age |
How long (in days) each password will remain valid before the user must create a new password. If a user's password has expired, they will be prompted to create a new one the next time they log into the web user interface. |
Lockout Reset Period |
Specifies how many minutes must elapse after a user attempts an invalid login before the failed login attempt count is reset to zero. This value must be equal to or less than the Lockout Duration. |
Lockout Threshold |
Specifies the maximum number of consecutive invalid login attempts by a user before their account is 'locked out', preventing them from accessing the xMatters web user interface. To disable this feature and grant users an unlimited number of invalid login attempts, enter zero (0). The maximum value for this field is 50. |
Lockout Duration |
Specifies how long (in minutes) a user is locked out after they exceed the number of invalid login attempts specified by the Lockout Threshold. |
- Click Save to apply your changes.
Default password policy
When you create a new xMatters account, your password must follow these requirements:
- Contains 1 or more uppercase letters (A - Z)
- Contains 1 or more lowercase letters (a – z)
- Contains 1 or more special characters (!@#$% etc)
- Contains 8 or more characters (passwords in xMatters cannot exceed 100 characters)
- Not contain dictionary words, a company or application name, or a commonly used password
If users have more than one account configured on the xMatters mobile app, the most restrictive passcode settings will be applied to all accounts. For example, if only one configured account requires a passcode, a user will be required to enter the passcode to access all of their accounts. If there are multiple accounts with different timeout periods configured, the most restrictive timeout period will be observed for all accounts.
To set the mobile app passcode policy:
- In the Admin menu, under Configuration, click Security Settings.
- In the Mobile App Passcodes section, enter the following information:
Field |
Description |
Require Passcodes on Mobile Apps |
When selected, requires mobile app users to enter a passcode before they can access their xMatters account. |
Inactivity Timeout |
If Require Passcodes on Mobile Apps is selected, the maximum time that a mobile app user can be inactive before being required to re-enter the passcode (1-60 minutes). |
- Click Save to apply your changes.
Changes to the mobile passcode policy settings may take up to 3 minutes to take effect on mobile devices.
Set the web session duration
You can adjust how long a logged-in user can remain inactive in xMatters before they are automatically logged out.
By default, users can have multiple browser sessions open at the same time, provided they do not exceed the maximum session duration. If your organization's security policy forbids users from logging in to xMatters in more than one browser session (i.e., multiple windows or tabs), you can opt in to disallowing concurrent web sessions. To enable this option for your instance, contact Customer Support.
To set the web session settings:
- In the Admin menu, under Configuration, click Security Settings.
- In the Web Session Settings section, enter the following information:
Field |
Description |
Max Session Duration |
The timeout period in minutes. Allowed values are 5 to 480 minutes (default 30 minutes). If the logged-in user is inactive for this length of time, xMatters ends the web session and requires the user to log in again. When the user logs back in, they can resume their previous session. Unsaved changes will be preserved until the user closes their browser. |
Exclude Reporting Pages |
When this option is selected, reporting pages will not time out. This includes the Conference Bridge report, dashboards in the Communication Center, Alerts report, Integration Builder Activity Stream, and Notifications report. This setting is disabled by default for new companies (reporting pages will time out). |
-
Click Save to apply your changes.