1. PDQ Deploy & Inventory Help Center
  2. Account & Billing
  3. Managing your Account in the Billing Portal

How to Set Up a Break Glass Account for SSO/OIDC Outages

If your organization uses SSO or OIDC as its primary login method, a misconfiguration or outage with your identity provider can lock all users — including admins — out of PDQ. This can be extremely disruptive, and to safeguard your account security, will require you to go through a difficult multi-step verification process which may leave you unable to use PDQ software for multiple days. 

A break glass user account is an emergency admin account that uses a separate authentication method, giving you a way back in when your primary login flow isn't working.

Overview

PDQ allows you to mix authentication methods within your organization. By configuring one admin user to sign in with Passwordless with email as an Auth method while all other users sign in via SSO or OIDC, you create a fallback that is independent of your identity provider.

Passwordless with email delivers a one-time passcode (TOTP) to the account's email address, so it has no dependency on your SSO or OIDC configuration, and will continue to function even if there is an issue with those login methods. 

Break glass account configuration

Enable passwordless with email as an Auth method

This procedure must be performed by an Owner or Admin account.

  1. Log into the PDQ Portal (https://portal.pdq.com), and browse to Accounts & security
  2. Under Security | Allowed Authentication Methods, switch on Passwordless with email. 
    A configuration of Allowed Authentication Methods which shows all methods enabled with the current user set to use Microsoft Entra ID SSO. A notice at the bottom states, "You can't disable your current auth method" with a link to Edit auth method.
  3. Under Security | Require MFA for, select Users that log in via passwordless with email
    Require MFA for (dropdown): Users that log in via passwordless with email
  4. Under Security | Allowed MFA Methods, ensure that at least one usable MFA method is switched on. 
     

Invite or designate an Admin user as the break glass account

You will need to select a user to serve as the break glass account. 
This should be an Owner or Admin account: 

  • Associated with an email address that your team can access independently of your SSO provider (e.g., a shared mailbox or a personal address held by a trusted admin)
  • Not used for day-to-day work

If you need to invite a new user for this purpose, switch to the Team page (https://auth2.pdq.com/team), and click Invite someone - and be sure to select the Admin role in the dropdown:

Passwordless w/email will be the default login method for a new user unless they sign in using SSO or OIDC for their first login, or manually link with one of those methods later. 

If you wish to switch an existing SSO or OIDC user to use passwordless, you will need to log in as that user, 

From the break glass user's profile page (https://portal.pdq.com/profile), click the button to Use passwordless with email, and set up an MFA method through PDQ. 

Important limitation

There is a security trade-off with this configuration. If your desired security configuration is to have all users in your organization use SSO or OIDC, the only way to achieve this is to disable all other methods, including passwordless with email. 

If you enable passwordless with email, you'll be able to create a break glass account, but any user in your organization can also select this Auth option (but they would then be required to set up MFA through PDQ). 

To mitigate this:

  • Communicate clearly to your users if they are expected to log in via SSO or OIDC.
  • If you are also enforcing authentication method requirements through your identity provider, those controls remain in place regardless of what is configured in PDQ. 
Glenn Bristol
Updated
Was this article helpful?

Related articles