Can both two-factor authentication and SAML/SSO be turned on in the Console?
search cancel

Can both two-factor authentication and SAML/SSO be turned on in the Console?


Article ID: 290346


Updated On:


Carbon Black Cloud Endpoint Standard (formerly Cb Defense)


In the Carbon Black Cloud Console, is it possible to have both 2fa and SAML/SSO enabled at the same time?


  • Carbon Black Cloud Console: All Versions
    • Audit and Remediation (was CB LiveOps)
    • Endpoint Standard (was CB Defense)
    • Enterprise EDR (was CB ThreatHunter)
    • Managed Detection (was CB ThreatSight)



Additional Information

  • SAML and 2fa cannot be enabled on the Service Provider's side (Carbon Black Cloud Console) at the same time, as the workflows are mutually exclusive
  • Many SAML providers (Identity Providers or IdPs) also allow for 2fa to be enabled on their side, which then increases security for all applications or services (service Providers or SPs) available through the IdP
  • 2fa increases an organization's security posture, but does not simplify the login process
  • SAML does not increase an organization's security posture, but does simplify the login process
  • Two-factor authentication employs Username/Password (UN/PW) for initial authentication (1st factor) and a one-time passcode (2nd factor) available from an enrolled device (RSA token, smartphone, tablet, etc.)
  • Security Assertion Markup Language (SAML) employs an Identity Provider (IdP) and a Service Provider (SP), where UN/PW is entered for initial authentication at the IdP and the authentication assertion (based on username) is passed to the SP for logging into the service being provided
  • SAML is most-often used to provide Single Sign-On (SSO) within an environment, allowing a user to sign in once and have their authentication assertion forwarded from the IdP and used by the different applications/services (SPs) they need throughout the day
  • When SAML is enabled only the authentication assertion is sent from the IdP to the SP; since this does not include both the UN and PW, 2fa cannot be enabled on the SP-side when SAML is enabled and vice versa