Overview
The Security page gives admins a centralised view of your portal's security posture and lets you configure key security controls across access, authentication, brand and user management
To access the page, navigate to Admin → Account → Security.
The page is organised into the following sections:
Trust, Help and Reports: Quick links to Tribal Habits' Trust Centre, helpful resources and relevant Analytics reports.
Posture: A high-level summary of how many platform-enforced, organisation-enabled and Tribal Habits-managed controls are active in your portal.
Access controls: Controls that manage general user access into your portal.
Authentication: Controls that manage how users authenticate, including SSO and MFA options.
Brand: Controls that can enhance your security by enforcing organisation brand standards.
Users: Controls that assist in monitoring user access and permissions.
Note: Some controls are marked Enforced. These are active by default across all portals and cannot be turned off.
Trust, Help and Reports
At the top of the Security page, three information panels provide quick access to useful resources:
Trust: Confirms that Tribal Habits is ISO 27001:2022 certified and operates an information security management system (ISMS) covering platform security, access controls, monitoring, incident response and vendor management. Click Visit our Trust Centre to learn more.
Help: Links to useful sites for staying updated about Tribal Habits, including the Knowledge base, Changelog, Status page and API documentation.
Reports: Links to Analytics reports that are useful for user activity and audit logs, including the Timelines, Notifications and Logins reports.
Posture
The Posture section gives you an at-a-glance summary of your security controls across three categories:
Platform enforced controls: Controls that Tribal Habits applies automatically to all portals.
Organisation enabled controls: Controls that your organisation has chosen to enable.
Tribal Habits managed controls: Controls managed on your behalf by Tribal Habits.
Click View next to any category to see the specific controls included. You can also use the Search by keyword box to quickly find a specific control on the page.
Access controls
These controls manage general user access into your portal.
Automatic session timeout: Users are automatically signed out after 60 minutes of inactivity. This control is enforced across all portals and cannot be disabled.
Password complexity enforcement: Local passwords must be at least 8 characters and include uppercase, lowercase and numeric characters. This control is enforced across all portals and cannot be disabled.
Account lockout after repeated failed logins: Users with 10 failed login attempts are automatically deactivated to prevent brute force attacks. This control is enforced across all portals and cannot be disabled.
Require MFA for administrators: When enabled, all users with admin access will complete multi-factor authentication (via email code) upon login. Toggle this on or off to control whether MFA is required for admins.
Require MFA for non-administrators: When enabled, all non-admin users (learners, creators, assessors) will complete multi-factor authentication (via email code) upon login. Toggle this on or off to control whether MFA is required for non-admin users.
Note: MFA uses an email-based code. When a user logs in, they will receive an email containing a code they must enter to complete the login process. You can enable MFA for admins only, non-admins only, or both.
Authentication
These controls manage how users authenticate into your portal, including Single Sign-On (SSO) configuration.
Enable SAML Single-Sign-On (SSO): When enabled, this feature allows users to log in via your SSO platform (e.g. Microsoft Entra, OneLogin, Okta). Toggle this on to activate SSO for your portal. Once enabled, click Manage to access your SSO settings and complete your SSO configuration.
Enable auto-redirect for SSO login: When enabled, users accessing your portal will be automatically sent to your SSO login page if not already logged in. This is best used when all or the majority of your users are using SSO.
Prevent auto-provision of new users via SSO login: When enabled, new users will not be automatically created on their first SSO login if they do not already exist in your portal. Enabling this option provides tighter control over user creation.
Notify SSO users if local password login occurs: When enabled, if an SSO user logs in with local Tribal Habits credentials, an email alert will be sent to them. This is useful as it may indicate their local account credentials have been compromised.
Note: For full instructions on setting up SSO for your specific platform, refer to our SSO setup guides.
Brand
These controls can enhance your security by enforcing organisation brand standards.
Activate Custom URL Domain: Displays whether a custom URL domain has been configured for your portal. This feature is available on Active 50 plans and above and is set up by Tribal Habits upon request. Learn more about custom URL domains.
Activate Custom Email Domain: Displays whether a custom email domain has been configured for your portal. This feature is available on Active 50 plans and above and is set up by Tribal Habits upon request. Learn more about custom email domains.
Users
These controls assist in monitoring user access and permissions.
Monitor assigned Super Admins: Displays the number of activated Super Admins in your portal. Review this regularly to ensure only essential users have this level of access. Click Review to open the People report pre-filtered to show activated Super Admins.
Administrative audit logging: Key administrative actions are logged for security and traceability for 365 days. This control is enforced across all portals. Click Review to open the Timelines report.
Deactivate stale users: When enabled, users who have not logged into your portal within a set number of days will be automatically deactivated. Toggle this on to set the Duration (days) and click Save to confirm. The minimum duration is 30 days. To change the duration at any time, click Manage. To disable the feature, toggle it off. This applies to all users, including admins.
Review users disabled due to failed logins in last 30 days: Displays the number of users who have been disabled due to too many failed login attempts in the last 30 days. Click Review to open the Deactivated users report, pre-filtered to show users deactivated due to failed logins in the last 30 days.
Important: The Deactivate stale users setting will also deactivate admins who have not logged in within the configured time period. Make sure the number of days you set is appropriate for your organisation - for example, many organisations use 365–548 days (12–18 months) to account for users who may only log in infrequently.
FAQs
Can I enable MFA for admins and non-admins independently?
Yes. MFA for administrators and MFA for non-administrators are separate toggles, so you can enable either or both depending on your organisation's requirements.
What does 'Prevent auto-provision of new users via SSO login' mean?
By default, when a new user logs in via SSO for the first time, Tribal Habits will automatically create an account for them. Enabling this control prevents that behaviour, meaning only users who already exist in your portal will be able to log in via SSO.
What happens when SSO is enabled - do users still need a local password?
Users with SSO enabled will log in via your SSO platform. However, local Tribal Habits credentials may still exist for those users. If you want to be notified when an SSO user logs in with local credentials, enable the Notify SSO users if local password login occurs control.
Can I set up a custom URL or email domain myself?
No. Custom URL and email domains are configured by Tribal Habits upon request and are available on Active 50 plans and above. Click Learn More on either control for details, or contact us to get started.
What happens when I toggle on 'Deactivate stale users'?
A prompt will appear asking you to enter a duration in days. Enter your preferred number of days (minimum 30) and click Save to confirm. Users (including admins) who have not logged in within that period will be automatically deactivated.
Will the 'Deactivate stale users' setting affect admins?
Yes. The stale user deactivation rule applies to all users in your portal, including admins. Ensure the number of days you configure is suitable for all user types in your organisation.