<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5003644&amp;fmt=gif">
Skip to content
English - Australia
Contact Us Customer Portal
  • There are no suggestions because the search field is empty.

Authentication & Single Sign-On

Everything you need to know about Authentication & Single Sign-On in Acorn PLMS.

Active Directory & LDAP Integration

Acorn PLMS provides seamless integration with your organisation's directory services, enabling automated user provisioning and intelligent access management. By connecting to Active Directory and Azure Active Directory, you can centralise identity management and reduce manual administrative tasks.

Overview

Directory service integration in Acorn PLMS allows your organisation to manage user access based on existing credentials and group memberships. This approach eliminates the need to manually create and maintain separate user accounts within the learning platform, ensuring consistency across your IT infrastructure and improving security posture.

Supported Directory Services

Acorn PLMS supports integration with the following directory services:

  • Active Directory (AD): Traditional on-premises directory service for managing users and active groups
  • Azure Active Directory (Azure AD): Microsoft's cloud-based identity and access management solution

Both services enable you to leverage existing user data and group hierarchies to automatically provision users and assign appropriate access levels.

Automated User Provisioning

HRIS Feed Integration

Acorn PLMS integrates with your Human Resources Information System (HRIS) through an Active Directory feed mechanism. This automated data feed manages the complete user lifecycle:

  • New Users: Automatically created when employees are added to your HR system
  • Active Users: Continuously synchronised to reflect current employment status
  • Deactivated Users: Automatically disabled when employees leave or change roles

This approach ensures that your learning platform always reflects your current workforce, without requiring manual intervention from IT administrators. Users are provisioned with appropriate permissions based on their HR data and directory group assignments.

Additional Integration Options

Beyond standard HRIS feeds, Acorn PLMS offers additional integration options to meet your organisation's specific requirements. These flexible approaches allow you to choose the integration method that best aligns with your existing systems and workflows.

Single Sign-On (SSO) and Authentication

Azure Active Directory SSO

When configured with Azure AD, Acorn PLMS enables Single Sign-On using your organisation's existing credentials. Users can access the platform seamlessly without requiring separate usernames or passwords, improving both user experience and security.

SSO with Azure AD provides:

  • Seamless Access: Users authenticate once using their Azure AD credentials and gain immediate access to Acorn PLMS
  • Enhanced Security: Leverages your organisation's existing authentication policies and multi-factor authentication (MFA) settings
  • Reduced Password Fatigue: Eliminates the need for users to remember additional credentials

Active Directory Support

Acorn PLMS is Active Directory aware and supports authentication through traditional on-premises Active Directory deployments. User authentication is aligned with your organisation's directory structure, enabling consistent identity verification across all enterprise systems.

Group-Based Access and Role Provisioning

Acorn PLMS leverages your directory service groups to automatically manage user access and permissions. Role and group-based provisioning can be configured to:

  • Assign Roles Automatically: Users receive appropriate platform roles based on their directory group membership
  • Control Access Levels: Different groups can be granted different access permissions within Acorn PLMS
  • Manage Permissions Dynamically: Access permissions update automatically when users are added to or removed from directory groups

This group-based approach eliminates manual permission management and ensures that access rights remain aligned with organisational structure changes.

Benefits for Your Organisation

Reduced Administrative Overhead

By automating user provisioning and access management through directory services, your IT team can focus on strategic initiatives rather than routine account management. Changes made in your HR system or directory service automatically propagate to Acorn PLMS, eliminating the need for manual account creation and modification.

Improved Security

Integration with directory services strengthens your security posture by:

  • Centralising identity management under your existing security policies
  • Ensuring immediate deactivation of users when they leave your organisation
  • Leveraging existing authentication standards and MFA configurations
  • Maintaining consistent access controls across all systems

Enhanced User Experience

SSO eliminates login friction, allowing users to access Acorn PLMS immediately using credentials they already use daily. This seamless experience reduces support requests and improves platform adoption.

Scalability

Automated provisioning scales efficiently as your organisation grows. Whether you're adding dozens or thousands of users, the integration handles provisioning without additional manual effort.

Implementation Considerations

While Acorn PLMS provides robust directory service integration capabilities, specific implementation details and configuration options are being finalised. We recommend contacting your Acorn PLMS account manager or support team to discuss your organisation's specific integration requirements and to understand the current implementation roadmap.

When planning your integration, consider:

  • Your current directory service architecture (on-premises, cloud-based, or hybrid)
  • Your HRIS system capabilities and data formats
  • Your authentication policy requirements
  • Your organisational structure and group hierarchy
  • Your timeline for implementation

Next Steps

To enable Active Directory or Azure AD integration for your Acorn PLMS instance, contact your system administrator or Acorn PLMS support team. They can assist with planning your integration, configuring directory service connections, and establishing user provisioning workflows that align with your organisational processes.

Multi-Factor Authentication (MFA) in Acorn PLMS Multi-Factor Authentication (MFA) in Acorn PLMS

Overview

Multi-Factor Authentication (MFA) is a critical security requirement in Acorn PLMS designed to protect your organisation's data and systems from unauthorised access. MFA requires users to provide multiple forms of verification before gaining access to the platform, significantly strengthening your security posture regardless of whether users are accessing Acorn from your office or remotely.

MFA Requirements

Remote Access Requirements

Your organisation must implement MFA for all employees accessing Acorn PLMS outside the office network. This dual-factor authentication requirement applies universally—both internally within your network and externally—ensuring consistent protection across all access scenarios. Whether your team members work from home, travel, or access the system from any location outside your primary office, MFA is mandatory and enforced as part of Acorn's secure access policies.

Administrative Account Protection

MFA is mandatory for all administrative accounts in Acorn PLMS. This elevated requirement reflects the sensitive nature of administrative privileges and the potential impact of unauthorised administrative access. By enforcing MFA on administrator accounts, your organisation significantly reduces the risk of security breaches and maintains strong access control over system configuration, user management, and data governance functions.

Administrative accounts managed through AWS Identity and Access Management (IAM) with MFA enabled provide an additional layer of protection that prevents unauthorised use of elevated privileges, even if an account credential is compromised.

How MFA Works in Acorn PLMS

Implementation Methods

Acorn PLMS supports MFA through flexible implementation approaches tailored to your organisation's infrastructure:

Single Sign-On (SSO) Integration: MFA can be facilitated through an SSO integration where the Identity Provider (IDP) handles multi-factor authentication. In this model, your IDP performs MFA verification before granting access to Acorn PLMS. This approach centralises authentication management and allows your organisation to maintain consistent MFA policies across multiple applications and systems.

Direct Configuration: Acorn administrators can configure MFA directly within the platform for administrative accounts and user access, providing control over authentication requirements without requiring additional third-party integration.

Security Benefits

When implemented correctly, MFA strengthens the overall security state of your system. By requiring multiple verification factors—typically a password combined with a secondary authentication method—MFA significantly reduces the likelihood of successful unauthorised access attempts. This is particularly important for cloud environments and administrative roles where the potential impact of a security breach is greatest.

Administrative Password Controls

Beyond MFA requirements, Acorn PLMS provides administrators with password control capabilities to prevent unauthorised use. These controls work in conjunction with MFA to create a comprehensive access security strategy. Your administrators can configure MFA settings for all admin accounts, ensuring that password credentials alone are insufficient for account access.

Best Practices for MFA Implementation

When deploying MFA in your Acorn PLMS environment, consider these best practices:

Enforce MFA for All Administrative Users: Ensure that every user with administrative privileges has MFA enabled. This protects your system configuration, user management functions, and data governance from unauthorised changes.

Require MFA for Remote Access: Mandate MFA for all users accessing Acorn PLMS from outside your office network. This is especially critical for organisations with distributed teams or remote work policies.

Integrate with Your IDP: If your organisation uses a centralised identity provider, configure SSO integration with MFA at the IDP level. This simplifies user experience while maintaining strong security controls.

Regularly Review Access Policies: Periodically audit your MFA policies to ensure they remain aligned with your organisation's security requirements and user access patterns.

Educate Your Users: Ensure all users understand why MFA is required and how to use secondary authentication methods effectively. Clear communication reduces friction and improves adoption.

Compliance and Security Standards

MFA implementation in Acorn PLMS aligns with widely recognised security standards and best practices for cloud administration and data protection. The requirement for MFA on administrative accounts specifically addresses security compliance frameworks that mandate strong authentication for elevated privileges.

By enforcing MFA across your Acorn PLMS deployment, your organisation demonstrates commitment to security best practices and protects against common attack vectors such as credential compromise and unauthorised access attempts.

Getting Support

If you need assistance configuring MFA for your Acorn PLMS environment, contacting your system administrator or Acorn support team will help ensure proper implementation aligned with your organisation's security policies.

Password Policies Password Policies

Password security is fundamental to protecting your organisation's data and user accounts in Acorn PLMS. Acorn enforces a robust system password policy designed to meet institutional security standards while remaining practical for end users.

Minimum Password Length Requirements

All passwords in Acorn PLMS must be at least 10 characters long. This minimum length requirement helps prevent brute-force attacks and ensures passwords meet modern security standards. When users create or reset their passwords, the system will reject any password shorter than 10 characters and prompt them to select a longer one.

Password Complexity Requirements

Beyond minimum length, Acorn enforces strict complexity requirements to ensure passwords are sufficiently robust. Your users' passwords must include:

  • At least 1 digit (0–9)
  • At least 1 lowercase letter (a–z)
  • At least 1 uppercase letter (A–Z)
  • At least 1 non-alphanumeric character, such as *, –, or #

These complexity rules work together to create passwords that resist common attack vectors. When users attempt to set a password that does not meet these criteria, the system provides clear feedback about which requirements are missing, helping them create compliant passwords efficiently.

Password History and Reuse Prevention

Acorn PLMS prevents users from reusing recent passwords by maintaining a password history. Specifically, users cannot set a new password that matches any of their prior 20 passwords. This policy protects against credential compromise by ensuring that even if a previous password was exposed, users cannot simply revert to it.

Password Expiration and Forced Changes

When a password is reset or newly issued by an administrator, users are required to change that password immediately upon their first login—unless your organisation has specified otherwise in its configuration. This forced change requirement ensures that only the user knows their active password, even after administrative password resets.

Administrators retain the ability to force password changes across user accounts when needed to enforce security updates or respond to security incidents. This capability helps your organisation maintain control over account security without requiring manual contact with each user.

Account Lockout and Suspension Thresholds

Accorn PLMS protects against unauthorised access attempts by automatically suspending accounts after repeated failed login attempts. Specifically:

  • Accounts are locked after 5 failed password attempts
  • The lockout period lasts for one hour
  • After the lockout period expires, users may attempt to log in again

If a user's account becomes suspended due to repeated failed attempts, administrator approval is required to restore access before the one-hour lockout period expires. This threshold balances security with user experience, allowing occasional mistakes while preventing systematic attack attempts.

Credential Encryption

All passwords and credentials in Acorn PLMS are encrypted to protect them from unauthorised access. Acorn does not use hard-coded passwords in systems or products, following industry best practices for secure credential management. Acorn employees in Customer Service and Development access necessary systems through a centralized password vault managed by a dedicated password manager, ensuring that credentials remain protected even within the organisation.

Inactivity and Account Suspension

In addition to failed login attempts, Acorn PLMS can automatically suspend user accounts due to extended inactivity. Administrators have the option to prevent automatic suspension of specific users with inactivity thresholds set at 30 days. This flexibility allows your organisation to maintain security policies while accommodating users who may have legitimate reasons for extended absences.

Password Reset Procedures

Password reset procedures in Acorn PLMS are designed to balance security with accessibility. When users request a password reset, they typically receive a reset notification at their registered email address. However, your organisation may have users without email addresses on file.

For users without email access, Acorn supports an alternative reset workflow: the reset notification is routed to a designated organisational or administrator contact email instead. A shared or assigned contact email can be associated with one or more learner accounts, allowing your local administrators or partner contacts to coordinate password resets on behalf of those users.

Your organisation can display guidance on the login screen instructing users without email access to contact their local administrator or designated partner contact for password assistance. This approach reduces support burden while ensuring that all users can regain access to their accounts when needed.

Administrators can also directly reset passwords for users when required, providing another layer of flexibility for account management and recovery scenarios.

Best Practices for Your Organisation

When implementing Acorn PLMS password policies, consider these best practices:

  • Communicate requirements clearly: Ensure users understand the complexity requirements (uppercase, lowercase, digits, and special characters) before their first login.
  • Plan for users without email: Identify designated administrator or partner contacts who will handle password resets for users without email addresses, and communicate this process to those users.
  • Monitor lockouts: Review account lockout incidents to identify potential security threats or support issues.
  • Balance security and usability: While Acorn's policies are security-focused, work with your team to ensure users can create compliant passwords without excessive frustration.
  • Document your procedures: Maintain clear internal documentation about who handles password resets, how administrators force password changes, and escalation procedures for account access issues.

Acorn PLMS password policies are designed to meet institutional security standards while remaining practical for organisations of varying sizes and structures. If you have questions about configuring these policies for your specific use case, contact your system administrator or Acorn support.

SSO Protocols & Identity Providers Overview

Single Sign-On (SSO) enables your users to authenticate once and access Acorn PLMS using their existing organizational credentials. Rather than managing separate credentials within the learning platform, SSO delegates authentication to your identity provider, enhancing security, reducing password fatigue, and streamlining user access management.

Acorn PLMS fully supports SSO functionality and can integrate with your organization's existing authentication infrastructure. The Acorn technical team takes the lead in implementation, managing setup, testing, and deployment—even for organizations without dedicated technical staff—ensuring a smooth and low-effort rollout.

Supported SSO Protocols

SAML 2.0

SAML 2.0 is the primary protocol Acorn uses for federated identity management. Through SAML, your organization's identity provider handles authentication while Acorn acts as the service provider. This protocol supports both SP-initiated flows (user navigates to Acorn and is redirected to log in) and IdP-initiated flows (user logs in through your identity provider's portal and is redirected to Acorn).

When using SAML 2.0, Acorn does not store user passwords for federated accounts. Instead, authentication is delegated entirely to your identity provider, which maintains responsibility for multi-factor authentication (MFA) and credential policies.

OAuth

OAuth provides an alternative authentication method for organizations using OAuth-compliant identity providers. Like SAML, OAuth allows users to leverage existing credentials without requiring separate Acorn-specific passwords.

Supported Identity Providers

Azure Active Directory (Azure AD)

Acorn supports seamless integration with Microsoft Azure AD, allowing users within your Azure tenant to authenticate directly through their organizational Azure credentials. This integration is particularly valuable for organizations already invested in the Microsoft ecosystem.

Okta

Okta integration enables your organization to manage Acorn access through Okta's identity governance platform. Each Acorn tenant can be configured with its own individual Okta registration protocol, providing flexibility for multi-tenant deployments.

Other SAML-Compliant Providers

Beyond Azure AD and Okta, Acorn supports authentication through any SAML 2.0-compliant identity provider. This includes services such as Google Workspace, Shibboleth, Ping Identity, and ADFS (Active Directory Federation Services). If your organization uses a federated SSO service like SAML or OAuth, Acorn's technical team can work with you to configure and implement the necessary authentication protocols to ensure compatibility.

Configuration and Deployment

Federated Identity Management

Acorn is configured with Federated Identity Management (FIM) principles, meaning your identity provider remains the source of truth for user authentication. This architecture ensures that credential management, security policies, and authentication rules are centralized and consistent across your organization.

Just-In-Time (JIT) User Creation

When users attempt to log in via SSO for the first time, Acorn can automatically create their user account through Just-In-Time provisioning. During this process, Acorn maps attributes and claims from your identity provider to Acorn user fields, enabling seamless onboarding without manual user administration.

Attribute and Claim Mapping

Your identity provider sends user information (attributes and claims) to Acorn during authentication. You can configure which provider attributes map to Acorn user properties, such as first name, last name, email, and department. This flexible mapping ensures your Acorn user profiles reflect organizational data accurately.

Authorization and Role Management

SSO handles authentication (verifying who the user is), while Acorn manages authorization (determining what the user can access). Your identity provider can pass group memberships to Acorn, which are then mapped to Acorn roles through coarse-grained authorization. Acorn's Role-Based Access Control (RBAC) layer provides fine-grained authorization at the feature and action level, giving you granular control over user permissions and capabilities.

Cohorts can be automatically assigned to users pulled in from your HRIS or identity provider, streamlining user organization and learning path assignment.

Multi-Tenant SSO Configuration

If your organization uses multiple Acorn tenants, each tenant can have its own individual SSO configuration and identity provider connection. This flexibility is particularly useful for organizations managing separate learning environments for different business units, geographic regions, or user populations (such as pre-hires versus active employees).

Each tenant maintains independent API and SSO connections, allowing you to target specific authentication flows and user provisioning rules to each environment.

Implementation Timeline

SSO integration is typically completed as part of Acorn's standard 6–8 week implementation process. Integration and testing activities generally occur during weeks 4–6, with User Acceptance Testing (UAT) and live deployment following immediately after. Throughout implementation, a dedicated Teams chat is established for real-time communication with your implementation team, and 24/7 support is available to address questions and issues.

Security Considerations
  • No password storage: For federated accounts, Acorn does not store user passwords. Authentication credentials remain with your identity provider.
  • Session management: Session lifetimes align to your identity provider's policies, ensuring consistent security across all applications.
  • Signed assertions: SAML assertions are cryptographically signed to prevent tampering.
  • Audit trails: All authentication events and user lifecycle changes are recorded and auditable, supporting compliance and security monitoring.
  • MFA delegation: Multi-factor authentication is managed by your identity provider, centralizing security policy.
Getting Started

To configure SSO for your Acorn PLMS instance, contact your implementation team during the Integration & Testing phase of your deployment. The Acorn technical team will work with you to gather identity provider details, configure attribute mappings, and conduct thorough testing before go-live.

For additional SSO guidance and troubleshooting, refer to the Single Sign-On (SSO) FAQs in the help center.

Session Management Session Management

Effective session management is critical to maintaining the security of your Acorn PLMS instance and protecting sensitive learning data. This article explains how Acorn PLMS manages user sessions, implements automatic security measures, and outlines best practices for maintaining secure access across different network environments.

Understanding Session Management in Acorn PLMS

A session represents your authenticated connection to Acorn PLMS. When you log in, the system establishes a session that remains active until you log out or the session expires. Session management ensures that only authorised users can access the system and that inactive sessions are terminated to prevent unauthorised access.

Your organisation's security posture depends significantly on proper session management practices. Acorn PLMS provides built-in protections and policies designed to balance user convenience with security requirements.

Individual User Accounts and Account Security

Acorn PLMS requires that all staff members have their own unique user accounts. Account sharing is strictly prohibited across your organisation. This policy ensures that:

  • Accountability is maintained: Every action within the system can be traced to a specific user
  • Access control is enforced: User permissions and roles remain consistent and auditable
  • Security is preserved: Shared credentials create significant security risks and compliance violations
  • Session tracking is accurate: The system can correctly log which user performed which actions during their session

If you discover shared account usage within your organisation, report this immediately to your system administrator. Each staff member should have received their own unique login credentials and should never share these credentials with colleagues.

Session Timeout Policies

Session timeouts automatically terminate inactive sessions after a specified period of inactivity. Your organisation's administrators configure timeout policies based on security requirements and operational needs.

How session timeout works:

When you log into Acorn PLMS, a timer begins tracking your activity. If no actions are detected for the configured timeout period, your session automatically terminates. You will be returned to the login screen and required to authenticate again to continue working.

Why timeouts matter:

Session timeouts protect against unauthorised access in several scenarios: - When you leave your workstation unattended - If your device is lost or stolen - When you forget to manually log out - In shared workspace environments where multiple people use the same computer

Timeout durations vary based on your organisation's security policies and may differ depending on the network you're using. Administrative users may have different timeout settings than standard learners.

Automatic Lock and Logout Features

In addition to session timeouts, Acorn PLMS provides automatic lock functionality that may be enabled by your administrator. This feature offers enhanced security by:

  • Locking your session after a period of inactivity, requiring you to re-authenticate before continuing
  • Automatically logging you out if the inactivity period extends beyond the configured threshold
  • Securing your workstation when you step away from your desk

When a session is locked, you must re-enter your password to unlock it. This requirement ensures that even if someone approaches your unattended computer, they cannot access your account without your credentials.

Accessing Acorn PLMS on Public Networks

Public networks—such as coffee shops, libraries, airports, and public Wi-Fi hotspots—present additional security risks. Follow these guidelines when accessing Acorn PLMS from public networks:

Use a VPN (Virtual Private Network)

A VPN encrypts your connection and masks your location, protecting your data from interception on public networks. Your organisation may provide VPN access; consult your IT department if you require VPN credentials.

Enable two-factor authentication (2FA)

If your organisation supports 2FA, enable it on your account. This adds a second verification step beyond your password, significantly reducing the risk of unauthorised access even if your credentials are compromised.

Avoid sensitive tasks on public networks

When possible, defer tasks involving sensitive data—such as uploading learner records, modifying user permissions, or accessing confidential course content—until you're on a trusted network.

Use a personal device rather than shared computers

Never access Acorn PLMS from shared public computers. These devices may contain malware or keystroke logging software that captures your credentials.

Keep your device updated

Ensure your operating system, browser, and security software are fully updated before accessing public networks. Updates patch known security vulnerabilities.

Verify the network name (SSID)

Cyber attackers sometimes create fake hotspots with names similar to legitimate public Wi-Fi networks. Verify the correct network name with venue staff before connecting.

Always log out explicitly

When finished with your session—especially on public networks—explicitly log out rather than simply closing the browser. This ensures your session terminates immediately rather than remaining active.

Managing Your Session

To view your active sessions:

Navigate to your account settings and select the "Active Sessions" or "Session Management" section. Here you can view details about your current and recent sessions, including login time, device information, and IP address.

To end a session manually:

Click the "Log Out" button in Acorn PLMS. This terminates your current session immediately and returns you to the login screen.

To manage other sessions:

If you recognise an unfamiliar active session, you can terminate it from your session management page. If you suspect unauthorised access, contact your administrator immediately and reset your password.

Best Practices for Session Security

  • Never share your login credentials with colleagues, even temporarily
  • Log out before leaving your workstation, particularly in shared environments
  • Use complex, unique passwords that meet your organisation's requirements
  • Change your password regularly, especially if you suspect compromise
  • Report suspicious activity to your administrator immediately
  • Review your active sessions periodically for unfamiliar devices or locations
  • Use organisation-provided devices whenever possible for accessing sensitive systems

Troubleshooting Session Issues

If you experience unexpected logouts or session terminations, verify that:

  • Your network connection is stable
  • Your session timeout period has not been exceeded
  • Your organisation's administrator has not changed timeout policies
  • Your device's system clock is accurate

For additional support, contact your system administrator or Acorn support team.