# Account
The Account Settings page allows you to manage your Reblaze user accounts.
## **Tab: Your account details**
### Basic account settings
From this tab, you can reset your password, name, and phone number.
### Settings for OTPs (One Time Passwords)
Reblaze uses 2FA (two factor authentication). There are several options for sending an OTP when you login:
* If only an email address is provided, the OTP will be sent via email.
* If a phone number is provided, the OTP will be sent over SMS message.
* As an alternative, you can also get a QR code for use in apps such as Google Authenticator (available for both [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2) and [iPhone](https://itunes.apple.com/il/app/google-authenticator/id388497605)).
### API Key
This tab also offers a personal API key, to be used in all requests to the Reblaze API.
## Tab: Users management
This tab allows you to manage users that are attached to your organization. It is only available to users with administrator permissions.
### Administration
An admin can:
* Create a new user
* Edit an existing user
* Reset a user's password
* Delete a user
When a user account is being edited, this will appear:
The available Access Levels are:
* *Viewer*: can see the [Traffic](https://waap.docs.link11.com/v2.20/product-walkthrough/reblaze-traffic) section, i.e. the Dashboard and View Log.
* *Editor*: has all Viewer permissions, and can also configure security rulesets and policies in the [Security](https://waap.docs.link11.com/v2.20/product-walkthrough/security) and [Settings](https://waap.docs.link11.com/v2.20/product-walkthrough/settings) sections.
* *Organization Admin*: has all Editor permissions, and can also manage users via the Users Management page.
* *Reblaze Admin*: has all Organization Admin permissions, and can also edit and view the Notes, Init and Run pages.
## **Tab: Single sign-on configuration**
This tab allows SSO to be configured so that users have the ability to log into Reblaze with their **Okta** or **Microsoft** **Azure** accounts.
Configuration options will vary depending on the type of account.
{% hint style="info" %}
**Please note:** *In setting up an SSO account with Okta or Microsoft Azure, the screens you encounter on those sites may differ slightly from those appearing here. However, the information you will be required to provide for SSO set up and configuration will be the same as shown below.*
{% endhint %}
### Setting up SSO through Okta
#### **1. Initial Okta setup**
Go to [Okta](https://www.okta.com/). At the top of the page, click "Try Okta", register and create an application:
* Go to `https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active`
* Click **`Add Application`** → **`Create New App`**
* Choose `Platform: Web` and `Sign on method: SAML 2.0`
#### **2. Name it, setup links and attributes:**
Give your app a name and click **`Next`**:
**Now, configure the SAML integration**, as shown in the screen below.
In the **`Single sign-on URL`** field, enter the URL in the following format:
`https://`{REBLAZE\_CONSOLE\_DOMAIN}`/sso/saml20/signon`
In the **`Audience URI`** field, enter the URI in the following format*:*
`https://`{REBLAZE\_CONSOLE\_DOMAIN}`/sso/saml20/audience`
\[Obtain *Reblaze Console Domain* URL from the Reblaze Log In.]
Next, scroll down to the **`Attribute Statements (optional)`** section.
1. In the **`Name`** column, write *`emailaddress`;* in the **`Value`** *c*olumn, write *`user.email`*
2. Click **`Add Another`**.
3. In the **`Name`** column, write *`displayname`;* in the **`Value`** *c*olumn, write *`user.firstName + " " + user.lastName`*
4. Click **`Add Another`**.
5. In the **`Name`** column, write *`groups`;* in the **`Value`** *c*olumn, write *`appuser.rbzgroups`*
6. Scroll down, click **`Preview the SAML Assertion`,** then click **`Next`**.
The screen shown below will appear. Select **`I'm an Okta customer adding an internal app`**, then click **`Finish`** at the bottom of the screen.
#### **3. Custom User profile**
Next, the Reblaze Admin group ID must be configured.
On the left side of the Okta screen, under **`Directory`**, go to **`Profile Editor`** . The screen below will appear.
In the **`Users`** tab, select **`Apps`**.
Scroll down and in the list of **`Profiles`**, locate and then click **`{$APP_NAME} User`**, where {$APP\_NAME} is the name you assigned to your app earlier.
The following screen will appear. Under **`Attributes`**, click **`+ Add Attribute`**.
An **`Add Attribute`** window will appear. Complete the fields as shown below, then click **`Save`**.
The next step is mapping. Return to the **`Profile Editor`** screen, and click on the **`Mappings`** tab.
The window below will appear.
Fill in the top field with `appuser.rbzgroups`. Click the arrow to the right of the field, and select the first option.
At the bottom of the window, click **`Save Mappings`**, then click **`Apply updates now`**.
#### **4. Assign the application to users**
Create user groups for two possible access levels: **Admin** and **Read-Only access**.
On the Okta menu on the left side of the screen:
1. Under **`Directory`,** select **`Groups`**.
2. A **`Groups`** screen appears; go to **`Add Group`**. Add a group named `reblazeadmin`.
3. From the left-hand menu, under **`Applications`**, select **`Applications`**.
4. An **`Applications`** screen will appear. Click your app's name. The screen shown below will open.
5. In the **`Assignments`** tab, click the **`Assign`** dropdown and select **`Assign to Groups`**, as below.
The following window will open. Select `reblazeadmin`, and click **`Assign`**.
The following window will open. Fill in the field as below, then click **`Save and Go Back`**. This will bring you back to the previous window (above), where you click **`Done`**.
Next, back at the app window, select the **`Sign On`** tab. In the window that appears, scroll down until the **`SAML Signing Certificates`** section. On the right hand side, click **`View SAML setup instructions`**.
This leads to the **`How to Configure SAML 2.0 for {$APP_NAME} Application`** page. You will use the information here in the next step.
#### 5. Complete Okta SSO setup in Reblaze
At this point, you must log into the Reblaze console. Go to your **Reblaze `Log In`** screen and complete all the fields, including the MFA PIN you will receive. Click **`Log In`**.
This will bring you to the Reblaze console.
1. From the menu on the left, under **`Settings`** select **`Account`**. Your Account page will open. Click the **`Single sign on configuration`** tab.
2. In the window that appears, select **`Enabled`**.
3. To obtain the URL for the **`Provider URL`** field, return to the Okta **`How to Configure SAML 2.0 for {$APP_NAME} Application`** page.
* Copy the url from the **`Identity Provider Single Sign-On URL`**, and paste it into the Reblaze **`Provider URL`** field.
* The following revisions must be made to the URL:
* Delete the following segment, highlighted in blue, from the URL you copied:  \[`dev-7889665_mynewapp_1/`]
* Now, add the suffix **`metadata`** to the end of the URL (after the segment ending: *saml/*).
4\. Fill in the name of the **`Admin Group`** (i.e., `reblazeadmin`).
5\. Fill in the URL for the **`IDP Issuer`** field. To obtain the URL:
6\. Return to the **`How to Configure SAML 2.0 for {$APP_NAME} Application`** page.
7\. Copy the URL from the **`Identity Provider Issuer`** field.
8\. Paste it into the Reblaze **`IDP Issuer`** field.
9\. Ignore the **`Audience URL`** and **`Assertion URL`** fields (they should be disabled automatically).
10\. Click **`Save`**. This will restart the console service.
On the Reblaze **`Log In`** page there will now be an additional button: **`SSO Login`**. Click to log into the Reblaze console.
### Set**ting** up SSO through Microsoft Azure
#### **1. Get started with Azure.**
Go to [this MS Azure page](https://azure.microsoft.com/en-us/solutions/active-directory-sso/) to sign in.
You will be redirected to the Default Directory page. From the side menu, select **`Enterprise applications`**.
#### **2. Create the SSO app.**
Choose **`+ New Application`** , as shown below.
In the screen below, choose **`+ Create your own application`** .
Then, from the drop-down that appears, give your app a name and choose **`Integrate any other application you don't find in the gallery (Non-gallery)`**. Click **`Create`**.
#### **3. Define SAML links.**
On the next screen that appears, from the left menu, select **`Single sign-on`**, then choose **`SAML`:**
The screen below will appear. Click **`Edit`** in the first block (*Basic SAML Configuration*) on the left.
On the right, enter values for the **`Identifier (Entity ID)`** and **`Reply URL (Assertion Consumer Service URL)`** fields:
* The **`Identifier (Entity ID)`** should be provided by the customer. It must be unique for the customer’s SSO applications. The best option is to use something like: `customer_domain.com?sso=123`. Note that this should not contain the "https\://" prefix. Also note that this value will be entered into the **IDP** **Issuer** field in the Reblaze console.
* The **`Reply URL (Assertion Consumer Service URL)`** should be: `https://`{REBLAZE\_CONSOLE\_DOMAIN}`/sso/saml20/signon`, where the {REBLAZE\_CONSOLE\_DOMAIN} can be obtained from the Reblaze Log In.
Click **Save** (at the top).
#### **4. Get the Metadata XML link for later use.**
Copy the **`App Federation Metadata URL`** and save it for later. This will be used as the `Provider URL` value in the Reblaze console.
#### **5. Set up** `user.groups` **in `Attributes & Claims`.**
In the second block of the screen below, click **`Edit`**.
The screen below will appear. Select **`+ Add a group claim`**.
From the drop down that appears on the right:
* Choose **`All groups`**
* Choose `Source attribute:`**`Group ID`**
* Click **`Save`**
The following screen will appear.
#### **6. Add a user as a member of the application.**
Return to the **`Enterprise Application`** screen**.** From the left menu, click **`Users and Groups`.**
Click the **`+ Add users/groups`** tab. Add users to the application by searching for a display name or through *application registration*.
#### **7. Create an admin group and assign a user.**
Go to **`Azure Active Directory`** → **`Groups`**, and create a group by clicking on the **`New Group`** tab.
Copy the `Object ID` and save it for later use. It will be the value for the **`Admin Group`** field in the Reblaze console.
Click on the hyperlinked group name (`ReblazeAdmin`); the screen below will appear. Select **`Members`** from the left menu.
Assign a user to the group:
#### **8. Complete Azure SSO settings in Reblaze.**
Go to the Reblaze console and sign in.
In the left menu, under **`Settings`**, select **`Account`**. When the screen below appears, click on the *`Single sign on configuration`* tab; set the **Enabled** checkbox.
For the remaining fields:
* Set **`Provider`** to `Microsoft`.
* Set the **`Provider URL`** to the value obtained in Step 4 (the **`App Federation Metadata URL`**).
* Set the **`Admin Group`** to the value obtained in Step 7 (the `Object ID`).
* Ignore the remaining fields. (**`IDP Issuer`** should have been set automatically, while **`Audience URL`** and **`Assertion URL`** should have been disabled.)
After the fields are filled in, click **`Save`**.
