Risk Assess user authorization and authentication functionality supports both native login (Coupa ID) and Single Sign-on (SSO) for customer (internal user) logins.
Upon initial login, users are required to select a Security Question and provide a response.
Users can reset their passwords directly from the login page using the “Forgot Password” Link.
Users can request confirmation of their user name(s) directly from the login page using the “Forgot Username” link.
Password requirements are based on settings in the Admin tab > User Management and Security section > Security Policy.
Following are details by which a user can reset their password in the application:
- Password Emails are sent immediately upon request to reset the password.
- Users can reset their password without being required to know their old password.
- The password reset email addresses the user personally and includes a link that contains the authorization code to authenticate the user on password reset.
- Once the link is used, it expires.
- By default, the link is set to expire within 24 hours of password reset email transmission. This timing is configurable in a customer’s localization file.
- If a link has expired, the message includes a link to the Forgot Password page so that the user can request a new password reset link.
- If the username entered is not a valid user name in Coupa, then the requestor sees the “Now Check your email” page but does not receive a password reset email.
- If the user exceeds the number of attempts when responding to their security question, their account is locked.
- Customer-specific password requirements will be supported, and the message will display customer-specific rules, when configured. Otherwise, default Risk Assess rules will display, including those pertaining to password strength, as defined in company information and settings.
- An email is sent to the user following a successful password reset. This email includes a link that directs them to the login page.
Following are details by which a user can recover their username in the application:
- Username Recovery emails are sent immediately upon request to reset the password.
- If the email provided is associated with multiple user accounts, then the user receives an email with a list of all accounts associated with the email provided. The user selects the link for the account they wish to log into.
- Different email formats are supported for Internal and External Users. The table provided in the Username Recovery email is populated with links for all matching accounts. Internal users see the Customer Name, External Users are provided with Customer Name and Supplier Name (External Reference) to help them pick the appropriate account when there are multiples.
- Links in the emails are deep links (beyond the home page in a webpage hierarchy) and honor the Security Policy setting to pre-populate the user name when the login page is displayed.
- If the customer requires an SSO login, then “Please login using SSO” is displayed instead of the Login ID.
- The support link directs the user to the customer configured support contact.
- The email body will indicate which customers, supplier companies and external references for the user’s login accounts are associated with the email address provided.
- If the user has also forgotten their password, then they will complete the Forgot Password process after they recover their username.
There are four different types of recovery emails sent by the application if the user submits a request to recover their username:
- Internal User
- External User with Single Login
- External User with Multiple Logins
- Internal User with Supplier User Logins