UniFed - Conditional Access


Step 1:

  • Log in to the UniFed portal.
  • From the main dashboard, navigate to the "Tenant" section in the left sidebar.
  • Click on "Tenant List," then select the Tenant for which you want to enable the Conditional Access and navigate to that module

Basically it will be in the disable condition by enabling the toggle button can be enabled.. Once this is enabled then below option can be considered if required by "and" & "or" conditions as followed


Step 2:

Enable IP Restriction (If required)

When IP-based conditional access is activated, administrators can enhance security by adding specific IP addresses to a whitelist. This configuration restricts users, allowing them to log in exclusively from the pre-approved, whitelisted IP addresses. As a result, access is limited to trusted locations, providing an additional security layer by preventing unauthorized access from unrecognized IPs.

  • Enable the Toggle button
  • Enter the IP to be whitelisted
  • Select the users who all need to be Excepted from these conditions

Step 3:

Enable Location Restriction - Previously this should be enabled within the Tenant (if required)

Enabling location-based conditional access allows administrators to specify and whitelist certain geographic locations through a map or dropdown options. This setup restricts user login access to only those pre-approved locations, adding a targeted layer of security by ensuring that logins occur exclusively from trusted regions.

  • Enable the Location check box, then a map will be displayed

  • Click on the map to update the location details

  • Allow Auth from locations
    • Select the country from the Dropdown and also select the state from the dropdown.

Step 4:

reCAPTCHA enforcement (if required)

Enabling reCAPTCHA introduces an additional verification step whenever a potential security threat is detected during login attempts. This helps to block suspicious activity, adding an extra layer of defense against unauthorized access.


Step 5: Brute Force Enforcement

Account Lock Period: The Account Lock Period feature temporarily blocks an account after a set number of failed login attempts. Once the lock period expires, the account is automatically unblocked, allowing the user to attempt logging in again. This measure helps to prevent unauthorized access by limiting repeated login attempts.

Login Threshold - Maximum Success Attempts - controls the number of successful logins allowed per user within a day. By default, this can be set to a fixed number or "Indefinite" for unlimited access.

  • Exceeding the Threshold: When users surpass the set limit, their accounts will be temporarily blocked, requiring admin intervention to reactivate.
  • Automatic Unblock: Accounts will automatically unblock after the designated Account Block Period ends.
  • Notifications: If notifications are enabled, users will receive an email notifying them of the account block due to reaching the daily login limit.



Login Threshold - Maximum Failure Attempts defines the number of failed login attempts allowed before an account is locked. This threshold can be set to a specific number or "Indefinite" for unlimited attempts.

  • Failure Scenarios: Account locking is triggered by various failures, including expired links, MFA verification issues, logins from unrecognized IPs, invalid OTPs, and similar security checks.
  • Notifications: If enabled, users receive an email notification upon account lockout due to failed login attempts, keeping them informed of the security status of their account.

Login/Signup API Calls Threshold limits the maximum number of API requests allowed per IP address (covering multiple users) within a specified time window, as defined by configured throttling hours.

  • Customizable Notifications and Lock Behavior: When the threshold is reached, customizable options allow for notifications and account lock settings to alert users or administrators.
  • Automatic Unblock: Once the designated lock period expires, access is automatically restored, unblocking the IP for further API calls.

Step 6:

Enable Device Check

Device Limits enforces login restrictions based on the number of allowed devices per user. If the device limit is exceeded, login attempts from unfamiliar devices are blocked, triggering an error message. This limit applies collectively to sessions across both the Infisign Agent and web browsers, ensuring secure and controlled access by restricting login to a set number of trusted devices.

Device Whitelisting: Whitelisted device IDs allow additional login access.

User Registration Toggle controls whether users can register new devices through the Infisign Agent:

  • Disabled: Users attempting to register a device will encounter an “Unfamiliar Device ID” error, preventing new device registrations.
  • Enabled: Users are permitted to register devices through the Infisign Agent, enhancing flexibility by allowing login from additional devices.

This conditional access setup enhances security by allowing only authenticated users from approved devices, IP addresses, and locations to log into the system. This approach safeguards organizational data and applications, effectively protecting against unauthorized access and reinforcing trust in the access environment.


Step 7:

Conditional Access Auth allows it to function as a secondary authentication layer, complementing the primary authentication method. By using the Conditional Access Start API, administrators can implement this additional security step.

  • Configuration Options: Both the Redirect URL and Logout Redirect URL can be customized specifically for this secondary authentication process, ensuring a seamless and secure user experience.

Still need help? Contact Us Contact Us