About Multiple Authentication Methods
Multiple Authentication Methods (MAM) allows CloudConnexa Username & Password and SAML Single Sign-On to be active simultaneously on an account, so each user can authenticate with one or both methods.
By default, a CloudConnexa account uses one authentication method at a time:
CloudConnexa Username & Password
SAML Single Sign-On
Private LDAP
When the active method changed, users tied to the previous method were marked as Suspended by IdP and lost access.
Multiple Authentication Methods (MAM) removes this limitation. After enabling MAM, CloudConnexa Username & Password, and SAML can be active at the same time. Authentication methods are treated as user settings rather than at the account level, and the Suspended by IdP status is removed.
With MAM enabled, users are no longer tied to a single authentication type. Instead, authentication methods are enabled or disabled per user.
Note
MAM is available on Premium and higher plans.
Important
LDAP remains a standalone authentication method and can't be enabled alongside CloudConnexa Username & Password or SAML.
When to use multiple authentication methods
MAM is useful when:
You rely on SAML but want a fallback authentication method in case your identity provider (IdP) is unavailable.
You have internal users on SSO and external users, partners, or service accounts that cannot be added to your IdP.
You want to migrate users to SAML gradually without forcing an immediate cutover.
You need to pre-create users, assign groups, and configure access before users sign in for the first time, which is difficult to do in a SAML-only setup.
Before you enable MAM
MAM is a one-way change. Once it's enabled, it can't be turned off. CloudConnexa changes how users and authentication methods relate, and there's no rollback. A warning is shown before you confirm.
After enabling MAM, you can still:
Disable SAML or CloudConnexa Username & Password at the account level.
Switch the account to LDAP only.
Enable or disable a specific authentication method for individual users.
Suspended by IdP users must be removed first. Because the Suspended by IdP status is eliminated under MAM, any users currently in that state would regain access unintentionally.
When you start the MAM enablement flow, CloudConnexa checks for these users automatically:
If none are found, enablement continues.
If any are found, a User to Delete page lists them. Click Delete & Continue to remove them and proceed, or Back to Settings to cancel.
The owner account is never included in this list.
Changes to suspension behavior
After MAM is enabled, changes to account-level authentication settings no longer automatically suspend users. Only admins can suspend users manually.
How to enable MAM
Navigate to Settings → User Authentication.
Click Edit.
Enable the second authentication method — SAML if your account currently uses CloudConnexa Username & Password, or vice versa.
Review the confirmation dialog, which explains that MAM is irreversible and that Suspended by IdP users will be removed.
(Optional) Select Enable [method] for all existing and new users:
If selected, all users automatically get access to the new method.
If not selected, you can enable it per user later. See Managing authentication methods for individual users below.
Click Confirm.
MAM is now active on your account.
Note
Enabling a method for a user doesn't immediately change anything for that user. The method becomes active only after the user first authenticates with it — by signing in via SAML, or by setting a password through the Forgot password flow for CloudConnexa Username & Password.
Important
No notification is sent to users when methods are enabled.
Managing authentication methods for individual users
Viewing a user's authentication methods
In Users → Users, the Authentication column shows which methods are enabled for each user. Possible values are: CloudConnexa, SAML, and LDAP.
For the Owner, the column may also show Google or Microsoft (OAuth options managed separately). The Owner account doesn't support SAML or LDAP authentication.
Enabling or disabling a method for a user
Navigate to Users → Users, then open the user.
Click the Authentication tab.
Each authentication method available on the account appears as a card indicating whether it is currently enabled for this user.
To enable a method: Click Enable This Method and confirm. The method becomes active after the user first authenticates with it.
To disable a method: Click Disable This Method and confirm. The user can no longer sign in using that method.
Important
Each user needs to have at least one authentication method enabled. Disabling a user's only method prevents them from signing in.
If you disable a method at the account level, users who only had that method lose access. You need to enable another method for them manually before they can sign in again.
Where to manage MAM
You can manage authentication methods in the following locations:
Settings → User Authentication — Enable or disable methods for the entire account and view configuration notes.
Users → Users — View which authentication methods each user has in the Authentication column.
Users → Users → Authentication tab — Enable or disable methods for individual users, manage passwords, and configure 2FA.
How new users are created under MAM
Scenario | Result |
|---|---|
Admin creates a user manually (UI or API). | User is created with CloudConnexa Username & Password. The user receives a password setup flow. |
A person signs in via SAML for the first time, and no matching username exists. | CloudConnexa creates a new user with SAML authentication and the Member role. |
A person signs in via SAML for the first time, and a matching username already exists. | CloudConnexa links the SAML identity to the existing user, preserving their role, email, name, and group assignments. If Enable sync from SAML IdP is on, group assignments are updated according to User Group Mapping Rules. |
Enable [method] for all existing and new users was selected at MAM activation. | All methods are available to new users immediately, but users can't sign in with a method until they complete its initial setup. For example, users must create a password before they can use CloudConnexa Username & Password authentication, or successfully sign in through their IdP before they can use SAML or LDAP authentication. |
Owner account behavior
The Owner manages their own password, two-factor authentication (2FA), and OAuth options (Google, Microsoft) under My Account.
The Authentication tab for the Owner shows an informational note about this.
The Owner can't use SAML or LDAP authentication.