This guide explains how to configure Sign-in methods and
Multi-factor authentication in FoxPlan for an enterprise.

Where to Configure in FoxPlan #

1. Log in as an Enterprise Administrator.
2. Go to Settings → FoxPlan Account.
3. Open:
   • Sign-in methods (SSO settings)
   • Multi-factor authentication (MFA settings)

FoxPlan Labels (UI) #

Sign-in methods #

• Allowed sign-in methods
• Google sign-in
• Microsoft sign-in
• Password
• Enterprise SSO

Important: Enterprise administrators always keep Password sign-in enabled.

Multi-factor authentication #

• Available multi-factor authentication methods
• No MFA
• TOTP (Google Authenticator / Microsoft Authenticator / Okta / Keycloak / …)
• Email

How Login Flow Works #

1. User enters email and clicks Next.
2. FoxPlan resolves the enterprise linked to this email.
3. FoxPlan displays available methods for that enterprise.
4. User continues with Password or SSO depending on enabled methods.

MFA Behavior #

• MFA challenge is applied for Password sign-in flows.
• For SSO flows, authentication assurance is handled by your Identity Provider (IdP).

Enterprise SSO (OIDC) Configuration #

Enterprise SSO supports OIDC providers such as Okta, Keycloak,
Google, Microsoft, and custom OIDC providers.

1) Identity Provider Setup #

• Create an OIDC application of type Web.
• Configure redirect URI (callback) to FoxPlan:

  {origin}/login/oauth2/code/{registrationId}

• Collect:
  • Client ID
  • Client Secret (if your IdP client authentication mode provides one)
  • Issuer URI

2) FoxPlan SSO Form #

• Provider: Google / Microsoft / Okta / Keycloak / Custom OIDC
• Display Name
• Client ID
• Client Secret
• Issuer URI (required for standard OIDC providers)
• Scopes: openid,profile,email
• User name attribute: typically sub (or email)
• Enabled: ON

The Redirect URI (OIDC) field shown in FoxPlan is copyable and environment-based.

Registration ID Format #

FoxPlan uses:

{enterpriseId}-{provider}

Example:

e20535ea-5feb-41be-9662-74cfb99045fa-okta

Provider Notes #

Google #

• Issuer URI: https://accounts.google.com
• Scopes: openid,profile,email

Microsoft (Azure AD / Entra ID) #

• Issuer URI pattern:

  https://login.microsoftonline.com/{tenantId}/v2.0

• Scopes: openid,profile,email

Okta #

• Use an OIDC Web app.
• In most setups, the issuer should be your authorization server issuer (commonly including /oauth2/default).
• Ensure the user is assigned to the application and allowed by access policy/rules.

Keycloak #

• Use the realm issuer URI.
• Ensure client is configured for Authorization Code flow and has the FoxPlan redirect URI.

MFA Configuration in FoxPlan #

1. Open Multi-factor authentication.
2. Select one or more methods:
   • TOTP (Google Authenticator / Microsoft Authenticator / Okta / Keycloak / …)
   • Email
   • or No MFA
3. Click Save.

Troubleshooting Checklist #

• Redirect URI in IdP exactly matches FoxPlan’s copyable Redirect URI (OIDC).
• SSO configuration is Enabled.
• User email belongs to the correct enterprise.
• For Okta/Azure/Keycloak, verify assignment and access policies.
• If using Password login + MFA, verify user has valid MFA enrollment (TOTP secret or email path).

Security & Operations Notes #

• Each enterprise has independent sign-in configuration and policies.
• Remove legacy providers from user communication if not enabled in your tenant.
• Document both user journey and admin behavior (especially Password availability for admins).