Overview

When High Security Mode is enabled in EFS, EFS shows an additional password validation prompt for certain user-management actions, including:

• Creating new EFS admin users
• Editing existing EFS admin users

This behavior is part of High Security Mode’s “Additional Password Requests”.

Tivian Access is a security module that can be integrated into existing SSO infrastructure.

Once Tivian Access has been activated, EFS shows TIVIAN Access User Status on the user details page. A user is marked Active if the identity provider knows the user and the user has already logged in; Inactive if the user is known to the identity provider but has not logged in yet; and Not existing if the user is not known to the identity provider.

Solution

Goal: Restore the ability to create (or edit) EFS admin users when EFS prompts you to confirm the action with your password.

1. Identify whether High Security Mode is involved.

   If you are prompted to re-enter your password when creating or editing an EFS admin user, this is consistent with High Security Mode’s documented “Additional Password Requests” for those actions.

2. If you cannot complete the password confirmation prompt, contact Support to proceed.

   High Security Mode is activated by Support upon request.

   Provide Support with the following so they can (a) confirm whether High Security Mode is enabled and (b) help you complete the admin-user creation:

   • Instance URL.
   • Timestamp (with timezone) of a failed attempt and the admin username used.
   • A screenshot of the “Confirm action with your own password” prompt/error.
   • The new admin user details you want created (username, first name, last name, and email address).
   • The team(s) the new user should be added to, and which team should be the primary team.

3. If the user is already created but can’t sign in via SSO, validate Tivian Access User Status.

   1. In the EFS admin area, navigate to System → Users → Users.
   2. Click the user’s name to open the user details page.
   3. Check TIVIAN Access User Status.
   4. If the status is Inactive, the identity provider knows the user but the user has not logged in yet. Have the user sign in once so the status can become Active.

<supportagent>

Agent-only note (Okta / Tivian Okta SSO): For Tivian Access customers using the Tivian Okta SSO, Okta is configured to use Just-in-Time (JIT) provisioning for federated users (user reference is created on first sign-in). This is why you can see “created on login / sign-on” behavior for SSO users in the IdP.

Agent-only references:

1. Okta User Management
2. Global Okta Setup

</supportagent>

References

1. How-to: High Security Mode
2. Tivian Access
3. EFS Release Spring 2020
4. Users