Skip to main content

Celonis Product Documentation

Team Settings Release Notes

Fixes for the Task Mining Service:

  • Fixed issue: Selecting only URLs without applications to capture data in the Client Settings lead to an invalid Task Mining Client configuration.

  • Fixed issue: Creating a 'blank project' with 'Connect to existing data pool' failed due to a missing target table.

  • Adding diagnostic logging capabilities throughout the task mining service.

You can now receive 2FA codes on your cellphone.

Today we are expanding our 2FA capability to secure access to your team even more.

Previously, you could only receive 2FA codes via email - now you can choose between the two channels.

  1. Go to your User Profile.

  2. In the section for 2FA pick SMS and enter your phone number

  3. Confirm

The SMS channel is not available in these countries

Belarus, China, Egypt, India, Jordan, Kuwait,Philippines, Qatar, Saudi Arabia, Thailand, United Arab Emirates, Vietnam, Russia

Given the increased importance of information security under the current circumstances, we have chosen to turn on two-factor authentication on all productive teams (i.e. those that are being paid for) by May 12.

After this change, the login flow will look like this on teams where SSO is not used:

 

SSO authentication flows are not impacted by this improvement, since the security model is different here.

If you do not agree with this change, and would prefer not to use 2FA, you can always turn it off via Admin and Settings.

With 2FA, we hope to prevent the successful transfer of credentials from one leak (e.g. the recent Zoom incidents) to another service.

Why are we turning it into opt-out?

2FA helps to prevent the successful transfer of credentials leaked in another service. For example, if a user uses the same credentials for their Slack account and their EMS account, and the Slack Account gets compromised, a login to the EMS will be prevented by 2FA as long as the email inbox is safe.

Will this affect your team?

No, if you are using SSO or already have 2FA turned on.

Yes, if you do not use SSO and do not have 2FA turned on yet.

Does the code need to be entered every time?

Yes, that is the intention of 2FA.

Is the code only delivered to the email inbox?

Yes, there is no alternative medium like SMS for 2FA yet.

I don't agree with this change, I want to log in to my team like usual!

You can always modify the 2FA settings yourself via Admin and Settings.

It's a simple flip of a switch, you can see it in the beginning of this video:

 

How can I use 2FA with SSO?

Please check internally with your Identity Provider, 2FA can often be configured there.

You can now choose between two providers for the SAML certificate:

  • Self-signed certificates are not signed by any authority and valid for 2+ years.

  • Let's Encrypt certificates are signed by an authority and valid for three months.

So you always have a valid certificate, we've added an option for auto-renewal.

With this option, certificates will be renewed on the last Saturday morning before expiry.

Administrators will be notified about this at least a week before via email.

Warning

Without an update of the SP metadata on the IDP, certificate regeneration can cause you to get locked out of the team.

Make sure you are have one of these set up before the certificate gets updated:

  1. SP metadata updates inside the IDP via the SP metadata URL are working.

  2. The SSO bypass via /ui/login is enabled for the duration of the maintenance.

41194175.png

Supply the EMS's SP metadata via a public metadata URL to your identity provider.

35554625.png

By checking the relevant box, you are shown a public, secret link that you can use within your identity provider.

 

This reduces maintenance efforts when the EMS team certificates that are used to sign authorization requests are changed.

With today's release, Team Administrators can turn on and off the /ui/login route for the team:

 

To turn it on, simply check a checkbox on the SAML or OIDC provider:

34013203.png

When on, any team member who has a password can login to the team without having to be listed on the identity provider. When off, these members can't log in.

When a listing in the Identity Provider would take too long, this setting can come in handy to temporarily grant access to e.g. implementation partners.

This results in added security for teams and their data, but also leaves flexibility for e.g. implementation projects.

A 2FA token will now be requested:

  • When logging in from a new device/browser.

  • If the last login is more than 24 hours ago.

  • If the login is from a new IP address.

This update will improve the usability of our 2FA functionality and help increase security through 2FA adoption.

We will continue to work on further improving the 2FA feature both in regards to usability and supported features.

This release includes two features to enable users to delete their accounts and provides a regular mechanism to clean stale unused accounts.

  1. Users can now delete their accounts in the realm they are logged into. The deletion button is located in the edit profile section.

  2. User accounts that are not a member of any team and didn't have login activity for six months or more will be deleted on daily basis and users will receive an email notifying them of the deletion.

Synchronizing users and groups continuously on a large scale....

Previously, this had to be done via the LDAP Sync Tool which was challenging to configure and required on-premise infrastructure.

YOu can now use the new SAML JIT feature to onboard large numbers of members into your team aore easily by making a small tweak to your SSO SAML setup.

Your SSO users authenticate against your Identity Provider (IdP). Upon every login request, the IdP sends information inside a so-called claim back to the EMS.

This claim contains information that makes the user identifiable inside the EMS.

Now comes the catch: Most IdPs implement some concept of grouping users together.

If you extend the claim with the information needed to create user accounts (e.g. first and last name) and provide the groups the user is a member of, SAML JIT gives you:

  1. Automatic user account creation upon first login.

  2. Automatic creation of groups and user assignment.

  3. Continuous group membership updates upon every login.

Can everyone log in now? No, you can also configure this via your identity provider

Now, users can't be removed via SAML JIT - if they are removed from the IdP, they will remain inside the EMS.

To account for this, we've introduced the User locking policy which lets you find stale users and lock and remove their memberships.

You can read all about the comparison of the LDAP Sync and SAML JIT here.

For further information on each approach, see:

Note

We're trying to develop SAML JIT into the preferred alternative to the LDAP Sync. Please get in touch if you have any suggestions!

24.02.2021

Over the past months we have had questions from customers as to why they are forced to add members before being able to create a Group within Admin and Settings. This issue causes administration burden for our customers when setting up their teams.

Use case: As an Admin I want to be able to set up my team structure, specifically groups without being forced to add members that are only added for the purpose of group creation and later removed.

It is now possible to create Groups with zero members as shown below.