What this standard answers
- Who owns password policy controls in hosted and self-hosted deployments
- How authentication is enforced for users and admins
- What controls are applied when password-based authentication is used
Current state (as of March 5, 2026)
Tero supports SSO and OIDC-capable authentication and enforces authentication and session controls in application access paths.Authentication and password baseline
| Area | Requirement |
|---|---|
| Primary user authentication model | SSO-capable authentication with SAML 2.0 and OpenID Connect support |
| Password policy source of truth (SSO) | Customer IdP policy controls (complexity, lockout, rotation, MFA policies) |
| Password handling | Passwords are never stored in source code and are handled through managed identity systems |
| MFA support | Enforced through customer IdP policy where configured |
| Administrative access | Restricted administrative access model with scoped authorization |
| Session controls | Session validation and scoped authorization are enforced in runtime access paths |
Supported login and SSO protocols
| Method or protocol | Support | Notes |
|---|---|---|
| Username and password | Supported | Can be disabled when SSO-only access is required |
| SSO via SAML 2.0 | Supported | Works with major SAML-compatible IdPs |
| SSO via OpenID Connect | Supported | Works with major OIDC-compatible IdPs |
| Multi-factor authentication (MFA) | Supported | Enforced through customer IdP policy for SSO; configurable for password-based login |
| OAuth 2.0 delegated access | Supported | Used for scoped API/integration authorization paths |
| LDAP | Not a direct authentication protocol | LDAP-backed directories are typically integrated through IdP/SSO providers |
Automated provisioning and deprovisioning
| Capability | Support model | Notes |
|---|---|---|
| User provisioning | Supported | Users can be created automatically from customer IdP directory-sync integrations |
| User deprovisioning | Supported | Users can be removed or access revoked automatically when they are removed/disabled in the customer IdP |
| Inactive-account handling | Supported | Inactive user access can be automatically disabled through customer IdP lifecycle policy and/or platform account-lifecycle controls based on deployment configuration |
| Group-based access mapping | Supported | IdP groups can be mapped to product roles/teams for least-privilege access assignment |
| SCIM transport | Supported where configured | SCIM-capable directory-sync paths are supported through identity integrations; provider-native sync paths are also supported |
Session timeout and reauthentication settings
| Access mode | Default session/reauth behavior | Customer configurability |
|---|---|---|
| SSO (SAML/OIDC) | Session timeout and reauthentication follow customer IdP policy defaults | Customer-configurable in IdP policy (for example idle timeout, max session age, reauth/MFA frequency) |
| Username/password | Platform-managed secure session controls are enforced in application access paths | Enterprise customers can require SSO-only mode; customer-specific session policy requirements are supported during security onboarding |
Session binding and network attribute controls
| Control | Baseline behavior | Customer configurability |
|---|---|---|
| Device-aware session policy | Enforced through customer IdP/conditional-access policy where configured | Configurable by customer in IdP/device-trust policy |
| Network/IP-based session restrictions | Supported through customer IdP policy and enterprise network allowlisting controls | Configurable by customer requirement and deployment model |
Enforcement model
- Authentication is required before access to protected application paths.
- Authorization is evaluated in tenant and workspace context.
- Access is removed or adjusted when role and lifecycle state changes.
Hosted vs self-hosted scope
| Area | Tero-hosted | Self-hosted |
|---|---|---|
| Application authentication controls | Tero-operated | Tero software with customer runtime controls |
| IdP password and MFA policy settings | Customer-controlled | Customer-controlled |
| Runtime identity stack operations | Tero-operated | Customer-operated runtime |