Skip to main content

Overview

The Authentication tab in Settings lets admins control how members authenticate into Petra. You can restrict which sign-in methods are allowed, require multi-factor authentication, configure Just-in-Time (JIT) provisioning for SSO users, and set up single sign-on (SSO) connections.
Only Admins can view and change authentication settings. These settings apply to your entire organization.

Primary Authentication Methods

Petra supports three primary authentication methods. You can enable or disable each one for your organization:
  • Email Magic Links — Passwordless login via a one-time link sent to the member’s email. This is Petra’s default sign-in method and requires no password setup.
  • Passwords — Members can set a password and log in with their email and password combination.
  • SSO — Members authenticate through your organization’s identity provider (IdP). Requires an SSO connection to be configured first (see SSO below).

Restricting Auth Methods

By default, both Email Magic Links and Passwords are enabled. You can restrict which methods members are allowed to use. To update allowed auth methods:
  1. Go to Settings → Authentication.
  2. Under Authentication Methods, toggle the methods you want to allow or disallow.
  3. Save your changes.
If you disable a method that some members are currently using, those members will no longer be able to sign in with that method. Make sure at least one method remains enabled for all members before making changes.
If your organization uses SSO, you can disable Email Magic Links and Passwords entirely so that all members must authenticate through your identity provider.

Multi-Factor Authentication (MFA)

Petra supports MFA to add a second layer of verification at sign-in. Members can enroll with an authenticator app (TOTP) or a phone number (SMS).

MFA Policy

You can configure whether MFA is optional or required for your organization.
  • Optional — Members may enroll in MFA but are not required to.
  • Required — All members must set up MFA before they can access Petra. Members who have not yet enrolled will be prompted to do so on their next login.
To update the MFA policy:
  1. Go to Settings → Authentication.
  2. Under Multi-Factor Authentication, select the policy that applies to your organization.
  3. Save your changes.

Resetting Your MFA Method

If you personally need to switch authenticator apps or change your enrolled phone number, you can reset your own MFA enrollment. This only affects your account — it does not change the MFA policy for other members in your organization. After resetting, you will be signed out and prompted to enroll a new MFA method on your next login. To reset your MFA:
  1. Go to Settings → Authentication.
  2. Scroll to the Multi-Factor Authentication section at the bottom of the page.
  3. Click Reset MFA.
  4. Confirm the action in the dialog.
The Reset MFA option only appears if you currently have an MFA method enrolled. Admins cannot reset MFA on behalf of other members — each member must reset their own.

Just-in-Time (JIT) Provisioning

JIT provisioning automatically creates a Petra account for any user who signs in via SSO, even if they haven’t been explicitly invited. This is useful for organizations where team membership is managed in the identity provider rather than in Petra directly. When a member signs in through SSO for the first time, Petra will automatically create their account and assign them a default role.

Enabling JIT Provisioning

  1. Go to Settings → Authentication.
  2. Under Just-in-Time Provisioning, enable the toggle.
  3. Configure the default role that new JIT-provisioned members will be assigned.
JIT provisioning grants access to any user who can authenticate through your connected SSO provider. Make sure your identity provider is properly configured to only allow the right users access to Petra’s SSO application.
If you prefer to manually control who gets access to Petra, leave JIT provisioning disabled and invite members individually from Settings → Access.

Single Sign-On (SSO)

Petra supports SSO via SAML 2.0 and OIDC. Once an SSO connection is configured, members can sign in with their corporate identity provider credentials (e.g., Microsoft Entra ID, Okta, Google Workspace).

Setting Up an SSO Connection

  1. Go to Settings → Authentication.
  2. Scroll to the Single Sign-On section.
  3. Click Create SSO Connection.
  4. Choose SAML or OIDC depending on what your identity provider supports.
  5. Follow the configuration steps — you’ll need to provide your IdP’s metadata or endpoints, and copy Petra’s ACS URL and entity ID into your IdP.

SAML Configuration

For SAML connections, you will need:
  • Your identity provider’s SSO URL (also called the SAML endpoint or sign-on URL)
  • Your identity provider’s X.509 certificate for token signing
Petra will provide:
  • An ACS (Assertion Consumer Service) URL to configure in your IdP
  • An Entity ID / Audience URI to configure in your IdP

OIDC Configuration

For OIDC connections, you will need:
  • Your identity provider’s Issuer URL (the OpenID configuration endpoint)
  • A Client ID and Client Secret from your IdP application
Petra will provide:
  • A Redirect URI to configure in your IdP application

Testing and Activating an SSO Connection

After entering your configuration, Petra will ask you to test the connection before activating it. This verifies that the IdP and Petra are communicating correctly. Once the test succeeds, activate the connection. Members can then select Sign in with SSO on the Petra login page.
You can have multiple SSO connections configured. This is useful if your organization has multiple identity providers or is migrating between them.

Requiring SSO

Once your SSO connection is active, you can enforce it by disabling Email Magic Links and Passwords in the Authentication Methods section. This ensures all members must authenticate through your identity provider.

FAQs

Can I require MFA even if members use SSO?

Yes. If your organization’s MFA policy is set to Required, Petra will prompt members to complete MFA after SSO authentication — SSO handles the primary login, and Petra’s MFA applies on top as a second factor. You can also enforce MFA at the identity provider level for an additional layer of control.

What happens if I disable a sign-in method a member is actively using?

That member will be unable to sign in with the disabled method on their next session. Make sure members have access to at least one enabled method before disabling any options.

Can I reset another member’s MFA?

No. Each member must reset their own MFA from the Authentication tab. If a member is locked out, contact support@petrasecurity.com.

Who can configure SSO?

Only Admins can configure SSO connections and change authentication settings.

Do SSO users bypass Petra’s MFA requirement?

No. If your organization has MFA set to Required, members who sign in via SSO will still be prompted to complete Petra’s MFA step after their SSO authentication succeeds. SSO handles the primary authentication; Petra’s MFA policy applies on top of it as a second factor.