# Account
The Account Settings page allows you to manage your Reblaze user accounts.
## **Tab: Your account details**
### Basic account settings
From this tab, you can reset your password, name, and phone number.
### Settings for OTPs (One Time Passwords)
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
* If only an email address is provided, the OTP will be sent via email.
* If a phone number is provided, the OTP will be sent over SMS message.
* As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/il/app/google-authenticator/id388497605)).
### API Key
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
## Tab: Users management
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
### Administration
An admin can:
* Create a new user
* Edit an existing user
* Reset a user's password
* Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
* *Viewer*: can see the [Traffic](https://waap.docs.link11.com/v2.20.4/console-ui-walkthrough/reblaze-traffic) section, i.e. the Dashboard and View Log.
* *Editor*: has all Viewer permissions, and can also configure security rulesets and policies in the [Security](https://waap.docs.link11.com/v2.20.4/console-ui-walkthrough/security) and [Settings](https://waap.docs.link11.com/v2.20.4/console-ui-walkthrough/settings) sections.
* *Organization Admin*: has all Editor permissions, and can also manage users via the Users Management page.
* *Reblaze Admin*: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
## **Tab: Single sign on configuration**
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their **Okta** or **Microsoft** accounts.
Configuration options will vary depending on the type of account.
### Set up Okta SSO
#### **1. Go to** [**Okta**](https://www.okta.com/)**, register and create an application:**
Go to `https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active`
Click `Add Application` → `Create New App`
Choose `Platform: Web`, `Sign on method: SAML 2.0`
#### **2. Name it, setup links and attributes:**
*Single sign on URL*:
`RBZ_SSO_ASSERTION_URL` env var. Value should look like: `https://{CUSTOMER_DOMAIN}/sso/saml20/signon`.
*Audience URI (SP Entity ID)*:
`RBZ_SSO_AUDIENCE_URL` env var. Value should look like: `https://{CUSTOMER_DOMAIN}/sso/saml20/audience`
*Attribute Statements:*
emailaddress: `user.email`
displayname: `user.firstName + " " + user.lastName`
groups: `appuser.rbzgroups`
#### **3. Custom User profile**
In order to pass Admin group ID we need to add custom attribute to the user groups.\
Directory > Profile Editor > Apps > Click on Profile
Next step will be to map it.
Directory > Profile Editor > Apps > Click on Mappings
**4. Assign the application to users**
Create user groups for two possible access levels: Admin and Read-Only access.
Assign users to it. Group name is the string you need for `RBZSSOSAML2_ADMINGROUP` or place the group name into the Reblaze console SSO settings.
And in your just-created Application settings:
On the assignment step, a value will be required for the custom attribute which we configured before. For the admin group the value will be same as on `RBZSSOSAML2_ADMINGROUP`, while for the read-only group value it can be anything else.
#### **5. Get Metadata XML link:**
Add the **URL** to the XML metadata file to the `RBZ_SSO_META_URL` env var (and/or for Provider URL field in admin)\
The URL example:
\
#### **6. Where to get** `RBZ_SSO_IDP_ISSUER`**:**
Go to Applications, choose yours, `Sign On` tab, click on `View Setup Instructions`
There you'll find Identity Provider Issuer:
### Set up Microsoft Azure SSO
**1. Go to** [**Azure Portal**](https://azure.microsoft.com/en-us/account/) **→** `Enterprise applications`
**2. Choose** `+ New Application` **→** `+ Create your own application`**:**
**3. Choose option** `Integrate any other application you don't find in the gallery (Non-gallery)` **(this option will create SSO app):**
**4. Go to** `Single sign-on` **section and choose** `SAML`**:**
**5. Set up appropriate links:**
`RBZ_SSO_IDP_ISSUER` should be provided by a customer and have to be unique for the customer’s SSO applications. The best option is to just use something like: `https://customer_domain.com?sso=123`. (the **IDP** **Issuer** field (in the console) should be identical to the **Identifier** field (in Azure))\
\
**6. Get Metadata XML link and add to** `RBZ_SSO_META_URL` **environment variable:**
**7. Setup** `user.groups` **in User Attributes & Claims, so it send all groups related to the user:**
\
Click on “+ **Add a group claim”,** choose:
* **All groups**
* Source attribute: **Group ID**
**8. Add a user as a member of the application:**
**9. Get admin group ID from Azure and put it into** `RBZ_SSO_ADMIN_GROUP` **environment variable:**\
Go to `Azure Active Directory` → `Groups`, create a group.
`Object ID` is the string you need for `RBZ_SSO_ADMIN_GROUP` or place the group ID into the Reblaze console SSO settings:
And assign a user to the group:
