Security Settings
Overview
SignalBreak provides comprehensive security features to protect your AI governance data and control access to your organization. Configure password policies, manage active sessions, enable Single Sign-On, and restrict access by IP address to meet your organization's security requirements.
Location: Settings → Security
Key Features:
- Password management with strength requirements
- Active session monitoring and control
- Single Sign-On (SSO) with SAML providers (Enterprise)
- IP allowlisting for access control (Enterprise)
- API key management for programmatic access (Enterprise)
Password Management
Changing Your Password
Keep your account secure by regularly updating your password and using a strong, unique passphrase.
Access: Settings → Security → Change Password
Requirements:
- Must provide current password for verification
- New password must meet strength requirements (see below)
- New password must be different from current password
- Confirmation password must match new password
Steps to change password:
Navigate to security settings:
- Go to Settings → Security
- Scroll to "Change Password" card
Enter credentials:
- Current Password: Your existing password for verification
- New Password: Your desired new password
- Confirm New Password: Re-enter new password to prevent typos
Review password strength:
- Real-time strength indicator shows: Weak, Fair, Good, or Strong
- Requirements checklist updates as you type
- All requirements must be met (green checkmarks) to proceed
Submit change:
- Click "Change Password" button
- Wait for confirmation: "Password changed successfully"
- You will remain signed in on your current device
Important: After changing your password:
- All other active sessions will remain active (you are NOT signed out)
- Consider using "Sign out other devices" if you suspect unauthorized access
- Update password manager if you use one
Password Requirements
All passwords must meet the following security criteria:
| Requirement | Description | Example |
|---|---|---|
| Minimum length | At least 8 characters | Example123! (11 chars) |
| Lowercase letter | At least one lowercase letter (a-z) | example |
| Uppercase letter | At least one uppercase letter (A-Z) | Example |
| Number | At least one numeric digit (0-9) | Example123 |
| Special character | At least one symbol | Example123**!** |
Valid special characters:
! @ # $ % ^ & * ( ) , . ? " : { } | < >Password strength levels:
- 🔴 Weak (0-2 requirements met): Does not meet minimum security standards. Will be rejected.
- 🟡 Fair (3 requirements met): Meets minimum standards but could be stronger. Accepted but not recommended.
- 🟠 Good (4 requirements met): Strong password that meets most best practices. Recommended.
- 🟢 Strong (5 requirements met): Excellent password meeting all security best practices. Highly recommended.
Tips for strong passwords:
- Use a passphrase:
Coffee@Morning2026!(easier to remember than random characters) - Avoid dictionary words, names, or dates
- Don't reuse passwords from other services
- Use a password manager to generate and store complex passwords
- Aim for 12+ characters even though minimum is 8
Password Visibility Toggle
Each password field includes an eye icon to toggle visibility:
- 👁️ Eye (open): Click to show password as plain text
- 👁️🗨️ Eye with slash: Click to hide password (dots/asterisks)
When to use:
- Show password when typing to avoid typos
- Hide password when in public spaces or screensharing
- Toggle back and forth to verify each character
Security note: Be aware of your surroundings when showing passwords in plain text.
Session Management
Understanding Sessions
A session represents an active sign-in to SignalBreak from a specific device/browser. Each time you sign in, a new session is created with:
- Device information (browser, operating system)
- Last activity timestamp
- Authentication token (7-day validity by default)
Session duration:
- Sessions remain active for 7 days of inactivity by default
- Activity resets the timer (viewing pages, making changes, etc.)
- Signing out terminates the session immediately
Multi-device access:
- You can be signed in on multiple devices simultaneously
- Each device has its own independent session
- Signing out on one device does not affect others (unless you choose "Sign out everywhere")
Viewing Active Sessions
Access: Settings → Security → Active Sessions
The "Active Sessions" card shows:
- Current Session: The device you're currently using
- Displays "Current Session" label
- Shows last sign-in time (e.g., "Last signed in 2 hours ago")
- Green "Active" badge
- Shield icon to indicate it's protected
Note: SignalBreak currently shows a summary of your current session. Detailed information about other devices (IP addresses, device names, locations) is not currently displayed but is planned for a future release.
Signing Out Other Devices
If you suspect unauthorized access or want to revoke access from other devices (e.g., a work computer you no longer have access to), you can sign out all other sessions while staying signed in on your current device.
Steps:
- Go to Settings → Security → Active Sessions
- Click "Sign out other devices" button
- Confirm action in popup dialog:
Sign out from all other devices? You will stay signed in on this device. - Click "OK" to proceed
- Wait for confirmation: "Sessions terminated"
What happens:
- All sessions except your current one are terminated immediately
- Other devices must sign in again to access SignalBreak
- Your current session remains active (no interruption to your work)
- Activity takes effect within 60 seconds
When to use this:
- Left a device signed in at a location you no longer have access to
- Shared a computer temporarily and forgot to sign out
- Suspect someone else has access to your account
- Changed password and want to enforce re-authentication
After signing out other devices:
- Check your email for any suspicious sign-in notifications
- Review audit log for unexpected activity (Settings → Audit Log)
- Consider changing your password if you suspect unauthorized access
Signing Out Everywhere
Force all devices (including your current one) to sign out. This is the most secure option when you suspect account compromise.
Steps:
- Go to Settings → Security → Active Sessions
- Click "Sign out everywhere" button (red/destructive style)
- Confirm action in popup dialog:
Sign out from all devices including this one? You will need to sign in again. - Click "OK" to proceed
- You will be redirected to the login page
- Sign in again with your email and password
What happens:
- ALL active sessions are terminated immediately (including current device)
- You are redirected to the login page
- All other devices must sign in again
- Activity takes effect within 60 seconds
When to use this:
- Suspect your account has been compromised
- Just changed password and want to force re-authentication everywhere
- Leaving your computer unattended in a public place and want to ensure secure logout
- Lost a device that was signed in
- Shared credentials temporarily and want to revoke access completely
Security best practice: Always use "Sign out everywhere" after changing your password if you suspect unauthorized access.
Enterprise Security Features
The following features are available on Enterprise plans only. Organizations on Free, Starter, or Professional plans will see an upgrade prompt when accessing these settings.
Single Sign-On (SSO)
Overview
Single Sign-On (SSO) enables your team to access SignalBreak using your organization's existing identity provider (IdP) instead of managing separate passwords. This provides centralized authentication, streamlined access management, and improved security through your organization's existing access controls.
Location: Settings → Enterprise Security → Single Sign-On (SSO)
Available on: Enterprise plan only
Supported providers:
- Okta
- Azure AD (Microsoft Entra ID)
- Google Workspace
- Custom SAML 2.0 provider
Benefits:
- Centralized user management (provision/deprovision from your IdP)
- No separate passwords to manage for SignalBreak
- Leverage your organization's MFA policies
- Automatic user deprovisioning when employees leave
- Single audit trail for authentication events
Configuring SSO
Prerequisites:
- Enterprise plan subscription
- Admin access to SignalBreak
- Admin access to your identity provider (Okta, Azure AD, Google Workspace, etc.)
- X.509 certificate from your identity provider
High-level steps:
- Configure SignalBreak as an application in your IdP
- Obtain SAML configuration details from your IdP:
- Entity ID (Issuer)
- SSO URL (SAML endpoint)
- X.509 signing certificate
- Enter configuration in SignalBreak
- Test SSO login
- Enable SSO for your organization
Step 1: Add SignalBreak to Your Identity Provider
The exact steps vary by provider. Below are general instructions:
Okta
- Sign in to Okta Admin Console
- Navigate to Applications → Applications
- Click "Create App Integration"
- Select "SAML 2.0"
- General Settings:
- App name: SignalBreak
- App logo: (optional) Upload SignalBreak logo
- SAML Settings:
- Single sign-on URL:
https://signalbreak.com/api/auth/saml/callback - Audience URI (SP Entity ID):
https://signalbreak.com - Name ID format: EmailAddress
- Application username: Email
- Single sign-on URL:
- Attribute Statements (optional but recommended):
email→user.emailfirstName→user.firstNamelastName→user.lastName
- Click "Next" and complete setup
- Assign users or groups who should have access
- Navigate to "Sign On" tab and click "View SAML setup instructions"
- Save the following for Step 3:
- Identity Provider Issuer
- Identity Provider Single Sign-On URL
- X.509 Certificate
Azure AD (Microsoft Entra ID)
Sign in to Azure Portal
Navigate to Azure Active Directory → Enterprise applications
Click "New application" → "Create your own application"
Name: SignalBreak, Select "Integrate any other application"
Once created, go to "Single sign-on" → Select "SAML"
Basic SAML Configuration:
- Entity ID:
https://signalbreak.com - Reply URL:
https://signalbreak.com/api/auth/saml/callback
- Entity ID:
User Attributes & Claims:
- Ensure
emailclaim is mapped touser.mail
- Ensure
SAML Signing Certificate section:
- Download "Certificate (Base64)"
Set up SignalBreak section:
- Save the following for Step 3:
- Login URL
- Azure AD Identifier
- Certificate (Base64) contents
- Save the following for Step 3:
Assign users or groups
Google Workspace
- Sign in to Google Admin Console
- Navigate to Apps → Web and mobile apps
- Click "Add app" → "Add custom SAML app"
- App details:
- App name: SignalBreak
- Google Identity Provider details:
- Save the following for Step 3:
- SSO URL
- Entity ID
- Certificate (download)
- Save the following for Step 3:
- Service Provider Details:
- ACS URL:
https://signalbreak.com/api/auth/saml/callback - Entity ID:
https://signalbreak.com - Name ID format: EMAIL
- Name ID: Basic Information > Primary email
- ACS URL:
- Attribute mapping (optional):
email→ Primary emailfirstName→ First namelastName→ Last name
- Finish setup and assign to users/groups
Step 2: Obtain Configuration Details
From your identity provider's SAML setup page, collect:
| Field | Also Known As | Example |
|---|---|---|
| Entity ID | Issuer, IdP Entity ID, Azure AD Identifier | http://www.okta.com/exk1a2b3c4d5e6f7g8h9 |
| SSO URL | SAML 2.0 Endpoint, Login URL, Sign-on URL | https://yourorg.okta.com/app/signalbreak/exk.../sso/saml |
| X.509 Certificate | Signing certificate, SAML certificate | -----BEGIN CERTIFICATE-----MIIDpDCCAoygAwIBAgIGAY...-----END CERTIFICATE----- |
Certificate format: Must be in PEM format (Base64-encoded, wrapped in BEGIN CERTIFICATE / END CERTIFICATE tags). If your IdP provides a .cer or .crt file, open it in a text editor to copy the contents.
Step 3: Configure SSO in SignalBreak
Navigate to SSO settings:
- Go to Settings → Enterprise Security → Single Sign-On (SSO)
- (If not on Enterprise plan, you'll see an upgrade prompt)
Leave SSO disabled initially:
- Keep the "Enabled" toggle OFF during initial configuration
- This allows you to test without locking out password-based authentication
Select Identity Provider:
- Choose your provider from the dropdown:
- Okta
- Azure AD
- Google Workspace
- Custom SAML (for other SAML 2.0 providers)
- Choose your provider from the dropdown:
Enter Entity ID:
- Paste the Entity ID / Issuer from your IdP
- Example:
http://www.okta.com/exk1a2b3c4d5e6f7g8h9
Enter SSO URL:
- Paste the SSO URL / SAML endpoint from your IdP
- Example:
https://yourorg.okta.com/app/signalbreak/exk.../sso/saml
Enter X.509 Certificate:
- Paste the complete certificate including headers:
-----BEGIN CERTIFICATE----- MIIDpDCCAoygAwIBAgIGAY... (certificate content) ...zXJTlqPqK8Qw== -----END CERTIFICATE----- - Multi-line format is fine (paste as-is from text file)
- Paste the complete certificate including headers:
Save configuration:
- Click "Save Configuration"
- Wait for confirmation: "SSO configuration saved"
- Certificate status will show: "✓ Certificate configured"
⚠️ Do not enable SSO yet! Proceed to Step 4 to test first.
Step 4: Test SSO Login
Before enabling SSO organization-wide, test with a single user to ensure configuration is correct.
Test procedure:
Open an incognito/private browser window (to avoid caching issues)
Navigate to SignalBreak login page:
https://signalbreak.com/loginClick "Sign in with SSO" button
Enter your organization's email domain:
- Example:
yourcompany.com - SignalBreak will detect your SSO configuration and redirect
- Example:
You should be redirected to your IdP's login page
- Okta:
yourorg.okta.com - Azure AD:
login.microsoftonline.com - Google:
accounts.google.com
- Okta:
Sign in with your IdP credentials
- Use your work email and password (or SSO method your IdP requires)
- Complete any MFA prompts if required by your IdP
You should be redirected back to SignalBreak and signed in automatically
If SSO test fails:
- Check Entity ID and SSO URL are correct (no typos, trailing slashes, etc.)
- Verify certificate was pasted completely (including
BEGINandENDlines) - Ensure user is assigned to the SignalBreak app in your IdP
- Check your IdP's logs for error messages
- See Troubleshooting section below
If SSO test succeeds:
- Proceed to Step 5 to enable SSO organization-wide
Step 5: Enable SSO
Once testing is successful, enable SSO to require all users to sign in via your identity provider.
Steps:
- Go to Settings → Enterprise Security → Single Sign-On (SSO)
- Toggle the "Enabled" switch to ON
- Click "Save Configuration"
- Confirm in dialog:
Enable SSO for your organization? All users will be required to sign in via your identity provider. Existing sessions will remain active until they expire. - Wait for confirmation: "SSO configuration saved"
What happens after enabling:
- New sign-ins must use SSO (password login is disabled for your organization)
- Existing active sessions remain valid (users are not kicked out)
- Users who try to sign in with email/password will see: "SSO is required for this organization"
- Login page will automatically redirect to SSO flow for users with your email domain
⚠️ Important: Before enabling SSO:
- Test thoroughly with multiple users
- Ensure all team members have accounts in your IdP
- Communicate the change to your team
- Have a backup admin account (see Security Best Practices below)
Disabling SSO
If you need to disable SSO (e.g., to troubleshoot or revert to password authentication):
- Go to Settings → Enterprise Security → Single Sign-On (SSO)
- Toggle the "Enabled" switch to OFF
- Click "Save Configuration"
- Password-based authentication is immediately re-enabled for all users
Note: SSO configuration (Entity ID, SSO URL, Certificate) is preserved even when disabled. You can re-enable at any time without re-entering details.
Updating SSO Configuration
If your identity provider's configuration changes (e.g., certificate rotation, SSO URL change):
Certificate rotation:
- Obtain new X.509 certificate from your IdP
- Go to Settings → Enterprise Security → Single Sign-On (SSO)
- Certificate section shows "✓ Certificate configured"
- Click "Replace" button next to certificate status
- Paste new certificate
- Click "Save Configuration"
⚠️ Important timing: Your IdP may support overlapping certificates during rotation. Check your IdP's documentation to determine the best time to update SignalBreak to avoid authentication failures.
Entity ID or SSO URL changes:
- Update the corresponding fields in SignalBreak SSO settings
- Click "Save Configuration"
- Test SSO login to verify changes
IP Allowlist
Overview
IP allowlisting restricts access to SignalBreak to specific IP addresses or network ranges. This is useful for organizations that want to enforce access only from corporate networks, VPNs, or specific locations.
Location: Settings → Enterprise Security → IP Allowlist
Available on: Enterprise plan only
Use cases:
- Restrict access to office networks only
- Require VPN connection for remote access
- Comply with data residency or network security policies
- Prevent unauthorized access from unknown locations
How it works:
- When IP allowlisting is configured (1+ entries), SignalBreak checks the user's IP address on every request
- If the IP matches an entry in the allowlist, access is granted
- If the IP does not match any entry, access is denied with "Access denied" error
⚠️ Warning: Be careful when configuring IP allowlisting. If you add an incorrect IP or forget to include your current IP, you may lock yourself out. Always test with a single IP first before locking down access.
Adding IP Addresses
Steps:
Navigate to IP allowlist settings:
- Go to Settings → Enterprise Security → IP Allowlist
Click "Add IP" button
Enter IP address or CIDR range:
- Single IP:
192.168.1.100 - CIDR range:
10.0.0.0/24(matches 10.0.0.0 through 10.0.0.255) - IPv6:
2001:db8::1or2001:db8::/32
- Single IP:
Enter description (optional but recommended):
- Examples:
- "London office network"
- "Company VPN"
- "Cloud NAT gateway"
- "John's home office"
- Examples:
Click "Add IP"
Verify in table:
- New IP appears in the IP Allowlist table
- Shows IP address, description, and date added
CIDR notation examples:
| CIDR | IP Range | Description |
|---|---|---|
192.168.1.0/24 | 192.168.1.0 - 192.168.1.255 | 256 IPs (office subnet) |
10.0.0.0/16 | 10.0.0.0 - 10.0.255.255 | 65,536 IPs (corporate network) |
203.0.113.0/28 | 203.0.113.0 - 203.0.113.15 | 16 IPs (small branch office) |
172.16.0.0/12 | 172.16.0.0 - 172.31.255.255 | 1,048,576 IPs (very large network) |
Finding your IP address:
- Visit https://whatismyipaddress.com or search "what is my IP" in Google
- Check your corporate network documentation for office IP ranges
- Contact your IT team if unsure
⚠️ Important: Always add your current IP address FIRST before adding others, to avoid locking yourself out.
Removing IP Addresses
To remove an IP address from the allowlist:
- Go to Settings → Enterprise Security → IP Allowlist
- Find the IP address in the table
- Click the trash icon (🗑️) in the rightmost column
- Confirm removal (IP is deleted immediately)
⚠️ Warning: If you remove the last IP address in the list, IP allowlisting is effectively disabled (all IPs are allowed). To enforce restriction, ensure at least one IP entry exists.
API Keys
Overview
API keys enable programmatic access to SignalBreak's API for automation, integrations, and custom tooling. Use API keys to query signals, retrieve reports, or integrate SignalBreak data into your existing workflows.
Location: Settings → API Keys
Available on: Enterprise plan only
Use cases:
- Automate signal retrieval in CI/CD pipelines
- Integrate SignalBreak data into internal dashboards
- Build custom alerts or notifications
- Sync governance data to data warehouses
Security: API keys grant full access equivalent to your user account. Treat them like passwords: store securely, rotate regularly, and revoke immediately if compromised.
Creating an API Key
Steps:
Navigate to API Keys settings:
- Go to Settings → API Keys
- (Enterprise plan required)
Click "Create API Key" button
Enter key details:
- Key name: Descriptive name (e.g., "CI/CD Pipeline", "Internal Dashboard", "Slack Integration")
- Expiration: (if supported) Set expiration date or leave as "Never expires"
Click "Create Key"
Copy API key immediately:
- Key is displayed ONCE in a dialog
- Format:
sb_live_xxxxxxxxxxxxxxxxxxxx - Click "Copy to clipboard" button
- Store securely (password manager, secrets vault, environment variable)
⚠️ Important: API keys are shown only once at creation. If you lose the key, you must delete it and create a new one.
Using API Keys
Include your API key in the Authorization header of HTTP requests:
Authorization: Bearer sb_live_xxxxxxxxxxxxxxxxxxxxExample API request:
curl -X GET https://signalbreak.com/api/signals \
-H "Authorization: Bearer sb_live_xxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json"Example in Python:
import requests
headers = {
"Authorization": "Bearer sb_live_xxxxxxxxxxxxxxxxxxxx",
"Content-Type": "application/json"
}
response = requests.get("https://signalbreak.com/api/signals", headers=headers)
print(response.json())Example in Node.js:
const fetch = require('node-fetch');
const headers = {
'Authorization': 'Bearer sb_live_xxxxxxxxxxxxxxxxxxxx',
'Content-Type': 'application/json'
};
fetch('https://signalbreak.com/api/signals', { headers })
.then(res => res.json())
.then(data => console.log(data));Revoking API Keys
To revoke an API key (e.g., if compromised or no longer needed):
- Go to Settings → API Keys
- Find the key in the table
- Click the trash icon (🗑️) or "Revoke" button
- Confirm revocation
What happens:
- API key is immediately invalidated (within 60 seconds)
- Any systems using this key will receive
401 Unauthorizederrors - Key cannot be restored (create a new key if needed)
Security Best Practices
1. Use Strong, Unique Passwords
Do:
- Use a password manager (1Password, Bitwarden, LastPass, etc.)
- Generate passwords with 12+ characters
- Use unique passwords for SignalBreak (never reuse)
- Enable password manager browser extension for auto-fill
Don't:
- Reuse passwords from other services
- Use personal information (names, birthdays, etc.)
- Share passwords with team members (use proper user accounts instead)
- Write passwords on sticky notes or unencrypted files
2. Enable Multi-Factor Authentication (MFA)
Current status: MFA is managed via your identity provider if using SSO. Native MFA support in SignalBreak is planned for Q2 2026.
If using SSO:
- Enable MFA in your identity provider (Okta, Azure AD, Google Workspace)
- MFA will automatically apply to SignalBreak sign-ins
If using password authentication:
- Use a strong, unique password until native MFA is available
- Monitor active sessions regularly
- Sign out other devices if you suspect unauthorized access
3. Monitor Active Sessions
Regular checks:
- Review active sessions weekly in Settings → Security → Active Sessions
- Sign out other devices if you see unexpected activity
- Check audit log (Settings → Audit Log) for unusual sign-in patterns
Red flags:
- Sign-ins from locations you haven't visited
- Sign-ins at unusual times (e.g., 3 AM when you're asleep)
- Multiple concurrent sessions when you only use one device
Response:
- Immediately click "Sign out everywhere"
- Change your password
- Review audit log for unauthorized activity
- Contact support@signalbreak.com if you suspect account compromise
4. Use SSO for Centralized Control (Enterprise)
Benefits of SSO:
- Centralized user provisioning/deprovisioning
- Leverage your organization's existing MFA policies
- Automatic access revocation when employees leave
- Single audit trail for all authentication events
Implementation checklist:
- Test SSO with a small group before organization-wide rollout
- Ensure all team members have accounts in your IdP
- Document SSO configuration details for IT team
- Maintain a backup admin account for emergency access
Backup admin account: Create one password-based admin account before enabling SSO organization-wide. Store credentials in a secure location (password manager, secrets vault) for emergency access if SSO fails.
5. IP Allowlisting for Network-Level Security (Enterprise)
When to use IP allowlisting:
- You have a fixed office IP or VPN
- Compliance requires network-level access controls
- You want defense-in-depth (authentication + network restriction)
When NOT to use IP allowlisting:
- Team members work from many locations (cafes, homes, travel)
- You use dynamic IPs that change frequently
- You need flexibility for emergency access
Best practice: Start with a broad CIDR range (e.g., /24 subnet) and narrow down over time as you understand access patterns.
6. Secure API Key Management (Enterprise)
Storage:
- Store API keys in environment variables (never hardcode in source code)
- Use secrets management systems (AWS Secrets Manager, HashiCorp Vault, etc.)
- Avoid committing keys to Git repositories (use
.gitignore)
Rotation:
- Rotate API keys every 90 days
- Rotate immediately if a key is suspected to be compromised
- Rotate keys when team members with access leave the organization
Monitoring:
- Review API key usage in audit log
- Set up alerts for unusual API activity (high request volume, errors)
- Revoke unused keys promptly
Least privilege:
- Create separate API keys for different use cases
- Name keys clearly to track usage (e.g., "CI/CD Pipeline", "Internal Dashboard")
- Revoke keys when the integration is no longer needed
7. Regular Security Audits
Monthly checklist:
- [ ] Review active sessions and sign out unused devices
- [ ] Check audit log for suspicious activity
- [ ] Verify team members list is up to date (remove former employees)
- [ ] Review API keys and revoke unused ones (if applicable)
Quarterly checklist:
- [ ] Rotate API keys (if applicable)
- [ ] Review IP allowlist and update if office/VPN IPs changed
- [ ] Test SSO configuration (if applicable)
- [ ] Review password policy compliance across team
Annual checklist:
- [ ] Full security policy review
- [ ] Update incident response procedures
- [ ] Security awareness training for team
- [ ] Review and update access controls
Troubleshooting
Problem: Cannot Change Password
Symptoms:
- "Change Password" button disabled or grayed out
- Error: "Current password is incorrect"
- Error: "New password does not meet requirements"
Diagnosis:
Verify current password:
- Double-check current password (ensure Caps Lock is off)
- Try toggling password visibility to verify what you typed
Check password requirements:
- Review password strength indicator
- Ensure all 5 requirements have green checkmarks
- Common mistakes:
- Forgetting a number
- Forgetting a special character
- Using only lowercase or only uppercase
Check confirmation match:
- Ensure "Confirm New Password" exactly matches "New Password"
- Even one extra space will cause mismatch error
Solutions:
| Cause | Solution |
|---|---|
| Wrong current password | Reset password via "Forgot password" link on login page |
| Password too weak | Add missing characters until all requirements are met |
| Confirmation mismatch | Re-type confirmation password carefully |
| Session expired | Refresh page and sign in again |
Problem: SSO Configuration Not Working
Symptoms:
- Error: "SAML validation failed"
- Redirected to IdP but then error on return to SignalBreak
- Infinite redirect loop between SignalBreak and IdP
Diagnosis:
Check Entity ID and SSO URL:
- Verify no typos, extra spaces, or trailing slashes
- Ensure URLs use
https://(nothttp://)
Verify certificate:
- Ensure complete certificate was pasted (including
BEGIN CERTIFICATEandEND CERTIFICATElines) - Check for line breaks in middle of certificate (should be continuous Base64 string or multi-line format)
- Verify certificate hasn't expired (check with your IdP)
- Ensure complete certificate was pasted (including
Check user assignment in IdP:
- Ensure test user is assigned to the SignalBreak app in your IdP
- Check user's email matches their SignalBreak account email
Review IdP logs:
- Most IdPs provide logs for SAML authentication attempts
- Look for errors like "Invalid audience", "Signature verification failed", etc.
Common errors:
| Error | Cause | Solution |
|---|---|---|
| "Invalid audience" | Entity ID mismatch | Verify Entity ID in SignalBreak matches what you configured in IdP |
| "Signature verification failed" | Wrong certificate or corrupted paste | Re-copy certificate from IdP, ensure no extra characters |
| "User not assigned" | User not assigned to app in IdP | Assign user or group to SignalBreak app |
| "SAML response expired" | Clock skew between SignalBreak and IdP | Contact support (usually resolved automatically) |
Still not working? Contact support@signalbreak.com with:
- IdP provider name (Okta, Azure AD, Google Workspace, etc.)
- Screenshot of your SSO configuration in SignalBreak (redact sensitive details)
- Error message or screenshot of error page
- IdP logs if available
Problem: Locked Out After Enabling IP Allowlist
Symptoms:
- Cannot access SignalBreak after adding IP allowlist entries
- Error: "Access denied: IP address not allowed"
- Stuck at login page
Diagnosis:
Check your current IP address:
- Visit https://whatismyipaddress.com
- Compare to IP addresses in your allowlist
- Your current IP may have changed (dynamic IP, different network)
Verify IP allowlist configuration:
- If you can access SignalBreak from another location (office, VPN), check allowlist
- Look for typos in IP addresses or CIDR ranges
Solutions:
| Scenario | Solution |
|---|---|
| Current IP not in allowlist | Access SignalBreak from an allowed IP (office, VPN) and add your current IP |
| Typo in allowlist entry | Access from allowed IP and fix the typo |
| Completely locked out | Contact support@signalbreak.com from email associated with your account. Support can temporarily disable IP allowlisting. |
Prevention:
- Always test with a single IP first before adding production allowlist
- Keep VPN access as a backup allowed IP
- Maintain emergency access from a known location (office, data center)
Problem: API Key Not Working
Symptoms:
- Error:
401 Unauthorized - Error:
Invalid API key - API requests fail with authentication errors
Diagnosis:
Verify API key format:
- Should start with
sb_live_(live keys) orsb_test_(test keys) - Check for extra spaces or line breaks when copying
- Ensure you're using the full key (keys are typically 32-40 characters after prefix)
- Should start with
Check Authorization header:
- Format must be:
Authorization: Bearer sb_live_... - Ensure "Bearer" keyword is included
- Check for typos in header name ("Authorization" not "Authorisation")
- Format must be:
Verify key hasn't been revoked:
- Go to Settings → API Keys
- Check if the key still appears in the table
- If missing, it was deleted/revoked - create a new key
Test with curl:
bashcurl -v -X GET https://signalbreak.com/api/signals \ -H "Authorization: Bearer YOUR_API_KEY_HERE"- Check response for specific error messages
Solutions:
| Cause | Solution |
|---|---|
| Typo in API key | Copy key again from secure storage, paste carefully |
| Wrong header format | Use Authorization: Bearer KEY format |
| Key revoked | Create new API key in Settings → API Keys |
| IP restriction (if enabled) | Check that request originates from allowed IP |
Problem: Cannot Sign Out Other Devices
Symptoms:
- "Sign out other devices" button does nothing
- Error after clicking button
- Other sessions remain active after sign-out attempt
Diagnosis:
Check browser console:
- Open browser developer tools (F12)
- Click "Sign out other devices"
- Look for error messages in console
Verify you're signed in:
- Session may have expired
- Try refreshing the page
Check network connectivity:
- Ensure stable internet connection
- Try again in a few minutes
Solutions:
| Cause | Solution |
|---|---|
| Network error | Check internet connection, try again |
| Session expired | Refresh page and sign in again |
| Browser cache | Clear browser cache, hard refresh (Ctrl+Shift+R) |
| Server issue | Wait 5-10 minutes and try again, contact support if persists |
Frequently Asked Questions
Can I use password authentication if SSO is enabled?
No. Once SSO is enabled for your organization, password-based authentication is disabled. All users must sign in via your identity provider.
Exception: If you created a backup admin account before enabling SSO, that specific account can still use password authentication for emergency access.
Why? Enforcing SSO ensures centralized access control and prevents security gaps from users bypassing your organization's MFA and access policies.
What happens to existing sessions when I change my password?
Existing sessions remain active. Changing your password does NOT automatically sign you out from other devices.
If you want to force re-authentication:
- Change your password
- Immediately click "Sign out other devices" or "Sign out everywhere"
- This ensures other devices must sign in again with the new password
Recommendation: Always use "Sign out everywhere" after changing your password if you suspect your account was compromised.
How long do sessions last?
Default session duration: 7 days of inactivity
Activity resets the timer:
- Viewing pages in SignalBreak
- Making configuration changes
- Running reports
- Any API requests (if using API keys)
After 7 days of inactivity:
- Session expires automatically
- User must sign in again
- No data is lost (session state only)
Session duration cannot be customized (applies to all users and plans).
Can I customize password requirements?
No. Password requirements are standardized across all SignalBreak accounts:
- Minimum 8 characters
- Lowercase letter
- Uppercase letter
- Number
- Special character
Rationale: These requirements follow industry best practices (NIST SP 800-63B) and balance security with usability.
If you need stricter password policies: Use SSO (Enterprise plan) and enforce policies in your identity provider (Okta, Azure AD, etc.).
Does SignalBreak support SCIM for user provisioning?
Not yet. SCIM (System for Cross-domain Identity Management) for automated user provisioning is on the product roadmap for Q2 2026.
Current user provisioning:
- SSO enabled: Users are created automatically on first SSO sign-in (Just-In-Time provisioning)
- SSO disabled: Admins must invite users via Settings → Team → Invite Member
When SCIM is available (planned):
- Automatic user creation when added to group in IdP
- Automatic user deactivation when removed from group
- Attribute syncing (name, email, role)
Request early access to SCIM →
Can I enforce MFA for password authentication?
Not currently. Native MFA support in SignalBreak is planned for Q2 2026.
Current options:
- Use SSO (Enterprise): Leverage your identity provider's MFA policies (recommended)
- Strong passwords: Enforce strong, unique passwords until native MFA is available
- Session monitoring: Regularly review active sessions for suspicious activity
When native MFA launches (planned):
- Time-based one-time passwords (TOTP) via authenticator apps
- SMS-based codes (less secure, but available)
- Backup codes for account recovery
Request early access to native MFA →
What IP address formats are supported in IP allowlist?
Supported formats:
- IPv4 single IP:
192.168.1.100 - IPv4 CIDR range:
10.0.0.0/24,172.16.0.0/16 - IPv6 single IP:
2001:db8::1 - IPv6 CIDR range:
2001:db8::/32
NOT supported:
- Hostname or domain name (e.g.,
office.example.com) - IP ranges without CIDR notation (e.g.,
192.168.1.1-192.168.1.255) - Wildcards (e.g.,
192.168.1.*)
To use a hostname: Resolve it to an IP address first:
nslookup office.example.com
# or
dig +short office.example.comThen add the resolved IP to the allowlist.
Can API keys be scoped to specific permissions?
Not currently. API keys grant full access equivalent to the user account that created them.
Current behavior:
- API key has same permissions as your user account (Admin, Member, or Viewer)
- All API endpoints accessible to your role are accessible via the key
Planned (Q3 2026):
- Read-only API keys (query data only, no modifications)
- Endpoint-specific scoping (e.g., "signals only", "reports only")
- Rate limit controls per key
Workaround until scoped keys are available:
- Create a dedicated "API-only" user account with Member or Viewer role
- Generate API key from that account
- This limits key's permissions to the account's role
Related Features
Team Management
Control who has access to security settings:
Audit Log
All security-related actions are logged:
- Audit Log (coming soon)
- Security Event Tracking (coming soon)
Compliance
Security features support compliance requirements:
Support
Need help with security settings? We're here to assist:
Documentation:
- Team Management
- Audit Log (coming soon)
- Enterprise Features (coming soon)
Contact Support:
- 📧 Email: support@signalbreak.com
- 💬 Live chat: Available in-app (bottom right corner)
- 📚 Knowledge base: https://signalbreak.com/docs
Security Issues:
- 🔒 Report security vulnerabilities: security@signalbreak.com
- Bug bounty program: https://signalbreak.com/security/bug-bounty
Enterprise Support:
- Dedicated Slack channel
- Priority support SLA (response within 4 business hours)
- SSO configuration assistance
- Custom security requirements consultation
Last updated: 2026-01-26