Security
Configure SSO, MFA, session policies, and audit logging.
Manage security settings from Settings → Security. This page covers SSO, session management, API keys, and audit logging.
Single Sign-On (SSO)
CRM Factory supports SAML 2.0 for enterprise SSO:
- Enter your Identity Provider URL (e.g., your Okta or Azure AD metadata URL)
- Upload the X.509 signing certificate (PEM format) via drag-and-drop or file browser
- Click Save SSO settings
When SSO is enabled, users from your identity provider's directory can sign in without separate CRM Factory credentials.
Multi-Factor Authentication (MFA)
Admins can enable MFA for the organization. When enabled, users are prompted to set up TOTP (Time-based One-Time Password) authentication using an authenticator app.
MFA adds a second factor after password/SSO authentication, protecting against compromised credentials.
Session Management
Configure how long sessions remain active:
| Setting | Options |
|---|---|
| Session timeout | 15 minutes, 30 minutes, 1 hour, 4 hours, 8 hours, Never |
The active sessions table shows all sessions for the current user, including device, location, IP address, and last activity time. You can revoke any session except the current one.
API Keys
Manage API keys for programmatic access:
- Create API Key — Generate a new key with a descriptive name
- Revoke — Immediately invalidate an API key
The key table shows each key's name, prefix, creation date, and last usage time.
For OAuth-based API access (MCP clients, integrations), see Settings → API.
Audit Log
The audit log records security-relevant events across your organization:
| Field | Description |
|---|---|
| Timestamp | When the event occurred |
| User | Who performed the action |
| Action | What happened (e.g., login, record update, permission change) |
| Entity | The affected record or resource |
| IP Address | Source IP of the request |
The audit log is available to admins and is retained according to your plan's data retention policy.