Managing authentication methods by user account type
As of version 11.2.0, Catalyst introduces support for configuring and enforcing authentication methods per user account type via API. This allows administrators to define whether a given user group is allowed to authenticate using passwords, Single Sign-On (SSO), or both.
This feature is especially useful in security-conscious environments where access rules need to be explicitly enforced, for example, allowing only SSO for external users while retaining password-based login for internal teams.
Configuration via API
Authorised users (those with the standard_authentication.edit permission) can define which authentication method is permitted for each account type by calling:
PATCH /api/security/with the following payload schema:
{
"authentication_method": {
"external": "sso|password|any",
"internal": "sso|password|any",
"full": "sso|password|any",
"super_admin": "sso|password|any"
}
}Accepted keys (user account types)
external– External users (e.g., clients, partners)internal– Internal staff accounts (if used)full– Config Admin userssuper_admin– Accounts with full platform access
Only the keys provided in the payload are updated. Omitted user types retain their existing settings.
Accepted values (authentication methods)
any– Both password login and SSO are permittedpassword– Only username + password login is permittedsso– Only SSO login (e.g., Okta) is permitted
To view the current configuration, users with the standard_authentication.view permission can call:
GET /api/security/Authentication enforcement logic
Authentication enforcement
Catalyst enforces your authentication rules immediately upon login attempts and during password reset processes. Users attempting to access the platform through unauthorised methods receive clear feedback:
"detail": "This user account is not allowed to log in using login and password.""detail": "This user account is not allowed to log in using Single Sign-On."This prevents users from bypassing login restrictions through external identity providers when their access is meant to be limited to password authentication only, such as in the case of Super admin or Config admin users in regulated environments.
Password reset enforcement
The enforcement rules also extend to all password reset actions, including:
- Sending a password reset email
- Setting a new password with a token
- Accessing the reset password form via tokenised links
This comprehensive approach prevents SSO-only users from circumventing authentication policies through password recovery channels, maintaining the integrity of your security framework.
Important: Before setting any authentication method to "sso", ensure that Single Sign-On is properly configured and tested. Setting SSO as the only authentication method without proper configuration will lock users out of the system.
Administrators now have granular control over authentication pathways, enabling security policies that match the specific access requirements of different user groups within your organisation.