Configure Login/MFA/OIDC Policy for your Organization

Overview

PDQ Account owners and administrators can require specific authentication methods and MFA options for all team members within their organization. 

These settings can be configured by logging into the billing portal and navigating to the Account page:
https://portal.pdq.com/account

Authentication and MFA methods can be enabled and disabled here.

 



If the Passwordless with email authentication option is enabled, then Require MFA for all users must also be enabled, as well as one or more specific MFA methods.

The Username/password login is a legacy option which cannot be used to register new users. If you disable Username/password as a login option, it cannot be re-enabled, and all users will be prompted to choose a different login method instead. 

Set login session duration

By default, a session (the duration which the user is “logged in”) is valid for 10 days. This can be changed in the “Require log in after (seconds)” option. This value is in seconds, so the default value of 10 days would be 864000.

 

This login duration applies to PDQ products only. If you are also setting a login duration in your external login provider, we recommend configuring this duration to match that of your external provider.

Configure OpenID Connect (OIDC) settings

Account owners and administrators can set up OpenID Connect (OIDC) on the same Account page from above:
https://portal.pdq.com/account

In the OIDC Settings section, enter the OIDC settings from your provider, including:

  • Discovery Document URI
  • Client ID
  • Client Secret 
 

After you enter the Client secret and click Save changes, the text field will appear blank, but the value has been saved. You can update your client secret at any time by entering a new one and saving once again. Client secrets will expire after a predetermined period (which varies based on your OIDC provider), so we recommend setting a calendar reminder to update your client secret in your PDQ settings before its expiration date. Failure to update your client secret before it expires may result in an interruption of access to your account.

Supported OIDC providers

While it is PDQ's intention to offer a broad range of support for OIDC providers, each provider must be assessed individually, and only providers which meet security standards will be approved for use logging into PDQ. 

The following providers are supported: 

IdP Safelisted URLs
Microsoft Entra ID login.microsoftonline.com
Okta *.okta.com
Duo Single Sign-On *.sso.duosecurity.com
Oracle IDCS *.identity.oraclecloud.com
OneLogin *.onelogin.com
 

If your Identity Provider (IdP) supports OIDC but does not appear on the list above, you must contact PDQ Support to request safelisting. If you do not perform this step, your OIDC configuration cannot be used for login.

Links to specific guides for Microsoft Entra ID and Okta appear at the bottom of this article. The specific settings and user experience for your OIDC provider may vary, and we may or may not be able to provide specific guidance. 

Any OIDC provider that you use must return a value for email which matches that of the user logging in, so we would recommend logging into the PDQ Portal and your OIDC provider with the same user/email address if possible. 

After you have entered and saved these values, you may switch on OIDC in the Allowed Authentication Methods section above.

Enable OIDC for your account

Once OIDC is enabled, you can return to your own profile (https://portal.pdq.com/profile) and click Link with OIDC to enable sign-in with OIDC for your account, and confirm that it functions as expected. 

 

We recommend adding at least one other admin user before switching login methods on your account - that way you'll maintain access to your organization's admin settings in the event that you should become unable to access your account due to OIDC configuration issues.

Enable OIDC for all users

On the your organization's account page (https://portal.pdq.com/account), you can choose the permitted authentication methods. After you have successfully logged into your own account using OIDC, you can switch it on for other users as well. 

Here is an example configuration which allows OIDC login and no other methods. 

(Optional) Use Login URI to specify login destination

By default, OIDC login will return the user to the billing portal (https://portal.pdq.com), which is generally only a click away from PDQ Connect (https://app.pdq.com). After logging in, you can switch between these destinations easily using bookmarks in your web browser without needing to log in a second time. 

For those users who prefer to initiate a login from their OIDC provider and specify a login destination, you can copy the Login URI from your organization's account page (https://portal.pdq.com/account) and append one of the following parameters to it: 

URL parameter Destination
?return_to=https://app.pdq.com PDQ Connect
?return_to=https://portal.pdq.com PDQ Portal


Example:

https://auth2.pdq.com/oidc/oidc_000001111122222333334444455555?return_to=https://app.pdq.com

Once you have the modified Login URI, you can specify it in your OIDC provider. This will allow you to initiate login from your OIDC provider and specify a destination. 

See also:
OIDC settings in Microsoft Entra ID

OIDC settings in Okta

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.