Security
Configure SSO, SCIM provisioning, and security settings for your organization.
SAML SSO requires Business plan. SCIM requires Enterprise plan.
Single sign-on with your identity provider
SAML SSOAutomated user provisioning
SCIM ProvisioningRole-based access control
Roles & PermissionsSecurity Overview
Authentication Options
| Method | Plan Required |
|---|---|
| Email/Password | All |
| Google OAuth | All |
| SAML SSO | Business+ |
Provisioning Options
| Method | Plan Required |
|---|---|
| Manual Invite | All |
| SCIM 2.0 | Enterprise |
Security Settings
Access at Organization → Security
Session Settings
- Session timeout: Auto logout after inactivity
- Concurrent sessions: Limit simultaneous logins
- Remember device: Trust device duration
Password Policy
- Minimum length: Require longer passwords
- Complexity: Require special characters
- Expiration: Force periodic changes
- History: Prevent reuse
Two-Factor Authentication
- Optional: Users can enable
- Required: All users must enable
- Admin required: Only admins must enable
HTTP Security Headers
Penvio includes security headers on all responses to protect against common web attacks:
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options | nosniff | Prevents MIME type sniffing |
X-Frame-Options | DENY | Prevents clickjacking |
X-XSS-Protection | 1; mode=block | Enables XSS filtering |
Referrer-Policy | strict-origin-when-cross-origin | Controls referrer information |
Content-Security-Policy | Configured for app domains | Prevents XSS and injection attacks |
Strict-Transport-Security | max-age=31536000; includeSubDomains | Forces HTTPS connections |
Permissions-Policy | Restricted | Limits browser feature access |
These headers are automatically applied and require no configuration.
Best Practices
- Enable SSO when possible
- Require 2FA for admins
- Set reasonable session timeouts
- Review audit logs regularly
- Use SCIM for large organizations
Last updated on