Tosi Control User Management Guide


1. Overview of User Roles

Tosi Control supports four user roles, each with specific permissions and management capabilities: OWNER, ADMIN, VIEWER, and USER.
Roles define what users can see, manage, or configure within the organization’s Tosi Control environment.

2. Role Definitions and Permissions

2.1 OWNER

The OWNER is the highest‑privileged user in Tosi Control.

2.1.1 Becoming an Owner

A user can become an OWNER in Tosi Control in two ways:

  1. Through Tosi Sales:
    The Tosi Sales team can create the Tosi Control OWNER when a customer purchases a subscription.

  2. Through Key Registration to a New Organization:
    A user can become the OWNER by creating an account while registering a Master Key to a new Tosi Control Organization.

2.1.2 Key Characteristics

2.1.3 OWNER Permissions

Network Management

User & Key Management

Gateway & Asset Management

Organization & Settings

Notifications

SSO Restriction

2.2 ADMIN

ADMINs have nearly identical permissions to the OWNER except they cannot manage the OWNER.

2.2.1 ADMIN Permissions

Same as OWNER except:

All other capabilities (networks, gateways, keys, users, notifications, exports, SSO setup, custom attributes, integrations) are fully available.

SSO Restriction

2.3 OPERATOR

The OPERATOR role (previously called USER) sits between ADMIN and VIEWER in terms of permissions.

2.3.1 OPERATOR Permissions

General

Editing Capabilities

The OPERATOR can edit paired gateways only when the attached key is a “Master Key” or “Backup Key”. Allowed Editing Actions are:

Viewing Capabilities

The OPERATOR can view the following pages.
All content is limited to attached keys and their paired gateways:

Restricted Capabilities

The Operator cannot:

Network Access Limitation

SSO Restriction

2.4 VIEWER

VIEWERs have read-only access to selected networks.

2.4.1 VIEWER Permissions

General

Read-Only Visibility

Exports

Notifications

Network Access Limitation

SSO Restriction

3. User Invitation & Management

3.1 How to Invite a New User

  1. Go to Users view

  2. Click “Invite users”

  3. Enter one or multiple email addresses

  4. Select the role (ADMIN, VIEWER, or USER)

  5. Send invitation

You can invite multiple users simultaneously.

3.2 Managing Invitations

Where to view pending or expired invites?

Renewing an expired invitation

  1. Open Users view

  2. Click the user whose invite expired

  3. Open the three‑dot menu

  4. Select “Renew invitation”

Invitation expiration rules

4. User Account Management

4.1 Changing a User’s Role

(ADMIN or OWNER only)

  1. Go to Users view

  2. Select the user

  3. Open the role dropdown on the right panel

  4. Select a new role

4.2 Removing or Deactivating a User

(ADMIN or OWNER only)

4.2.1 To remove a user

  1. Go to Users

  2. Select a user

  3. Open the three‑dot menu

  4. Select Remove user
    → User must be re-invited to regain access

4.2.2 To deactivate (block login)

  1. Same menu

  2. Choose Deactivate user

4.3 Forcing Password Reset

(ADMIN or OWNER only)

  1. Open Users

  2. Select a user

  3. Three‑dot menu → Force password change

4.4 Forcing Session Termination

(ADMIN or OWNER only)

  1. Open Users

  2. Select user

  3. Three‑dot menu → End session

5. Key Assignment

5.1 What does attaching a key mean?

Attaching a key associates it with a user, making it visible in the interface and enabling Tosi Client [Key Software, minimum version 4.4.0] access under SSO.

5.2 How to attach a key to a user

(ADMIN or OWNER only)

  1. Go to Users

  2. Select user

  3. Click “Attach keys to user”

  4. Select keys in the modal

  5. Confirm

5.3 Key Attachment by System

Tosi Control automatically attaches a key to a user in the following cases:

  1. When a user signs in to Tosi Control via SSO using a Soft Key for the first time.

  2. When a user registers a Master Key to Tosi Control.

In both scenarios, the system creates the key‑to‑user association automatically, without requiring any manual action from an OWNER or ADMIN.

5.4 How to remove an attached key

  1. Go to Users

  2. Select user

  3. Locate and hover the key in the Keys list

  4. Click “Detach the Key”

6. Personal Profile Settings

6.1 Where to find your personal information

Navigate to:
User Avatar → My Settings → User Profile Settings

6.2 Updating your personal information

  1. Go to User Profile Settings

  2. Edit the desired fields

  3. Click Save Changes

6.3 Changing your password

  1. Go to User Profile Settings

  2. Enter old password

  3. Enter new password

  4. Click Save Changes

7. Single Sign‑On (SSO)

7.1 Overview

Tosi Control supports Single Sign‑On (SSO) through a SAML 2.0–based integration, allowing organizations to authenticate users using their own Identity Provider (IdP). With SSO enabled, users are no longer required to log in with Tosi Cloud credentials; instead, authentication follows the security policies defined by the organization’s IdP.

SAML enables the IdP to provide a digitally signed and secure confirmation of a user’s identity. When a user signs in through SSO, the IdP sends a cryptographically signed XML assertion to Tosi Control, which validates the information and grants access.

Once SSO has been configured, the login flow for a user is:

  1. The user navigates to the organization’s dedicated SSO login URL.

  2. The user selects Login with SSO.

  3. The browser is redirected to the organization’s IdP.

  4. The IdP authenticates the user according to the company’s policies.

  5. After successful authentication, the browser returns to Tosi Control with a signed SAML assertion.

  6. Tosi Control validates the assertion and issues security tokens.

  7. The user is granted access to Tosi Control.

This guide explains how to register an organization’s IdP and configure SSO settings in Tosi Control.

7.2 Registering Your Organization’s IdP in Tosi Control

To begin configuring SSO, log in to Tosi Control as the OWNER or an ADMIN.
Navigate to:

Settings → Authentication

By default, the Tosi Cloud IdP is enabled. This is Tosi Control’s built‑in identity provider, allowing users to sign in with a username and password. It may be disabled after an external IdP has been successfully registered.

Important:
The Organization OWNER always maintains a backup login path using Tosi Cloud IdP credentials. Even if the built‑in IdP is disabled, the OWNER can still log in using their Tosi Cloud password. This ensures that access to the organization is never fully blocked if the external IdP becomes unavailable.

To begin the SSO setup, click Add Identity Provider.
A configuration panel appears with the fields described below.

7.3 Configuration Fields

7.3.1 Provider Name

Enter a name that identifies your organization’s IdP (e.g., “Azure AD”, “Okta”, “Ping Identity”).

7.3.2 Provider Type

Select the protocol used by your IdP.
Tosi Control currently supports SAML2.

7.3.3 Organization SSO Domain

Each organization creates a unique SSO URL.

The customizable ending must follow these rules:

7.3.4 Sign‑Out Flow

This setting determines whether logout events synchronize:

7.3.5 SAML Signing and Encryption

7.3.5.1 Signed SAML Requests

Signing uses the RSA‑SHA256 algorithm.

7.3.5.2 Encrypted SAML Assertions

Organizations may choose to encrypt all SAML assertions sent to Tosi Control.

7.3.6 Metadata Document Source

Tosi Control requires metadata from the IdP to complete the SAML configuration.
You may provide it in one of two ways:

7.3.7 Attribute Mapping

Attribute mapping connects IdP attributes to Tosi Control user fields.
Values should match the names used in the SAML assertion.

Required attributes:

Optional attribute:

Example SAML snippet for Email:

 
 
<saml:Attribute Name="Email"> <saml:AttributeValue>user@example.com</saml:AttributeValue> </saml:Attribute>

7.3.8 Group Mapping

Group mapping allows organizations to automatically assign Tosi Control roles based on IdP group membership.

  1. Enable Group Mapping.

  2. Select Add new group mapping.

  3. Enter the IdP group name.

  4. Choose which Tosi Control role it maps to (USER, VIEWER, ADMIN; OWNER must always be assigned manually).

Example (Okta-based):

7.4 Completing the Registration

When all fields are configured, click Register IdP.
If successful, Tosi Control displays the IdP details along with:

At this point, SSO is registered but not yet active.

To enable SSO login, turn on:
Enable Federated IdP for SSO access

If desired, the Tosi Cloud IdP can now be disabled (OWNER retains backup access).

7.5 Editing or Removing an IdP

7.5.1 Editing the Configuration

Click Edit IdP Configuration on the Authentication page to update any settings.

7.5.2 Removing the IdP Registration

Click Remove IdP registration.
A confirmation dialog appears with two options:

7.5.2.1 Remove SSO-only users

If enabled:

Users who also have Tosi Cloud credentials (Tosi Control Username and Password) will not be removed.

7.5.2.2 Keep users

If disabled:

Click Remove IdP registration to finalize.

7.6 Logging in Through the SSO Domain

After the IdP is configured and SSO is enabled, users can log in at the organization’s SSO domain.

The login page displays the organization’s name.
Users select Login with SSO, authenticate through the organization’s IdP, and are then redirected back to Tosi Control with access granted.

8 Multi‑Factor Authentication (MFA)

8.1 Overview

Multi‑Factor Authentication (MFA) adds an additional layer of security to user accounts in Tosi Control. When MFA is enabled, users must verify their identity using a second authentication factor in addition to their username and password. This significantly enhances protection for OT environments and prevents unauthorized access.

Tosi Control supports MFA in the following ways:

Important:
MFA is only available for Tosi Cloud (username + password) logins.
MFA is not applied to SSO logins.
Users who sign in through an external Identity Provider authenticate solely through the IdP’s policies.

8.2 How MFA Works in Tosi Control

When MFA is enabled for a user, the login experience includes:

  1. Primary authentication
    The user enters their Tosi Cloud username and password.

  2. Secondary authentication
    The user enters a one‑time verification code generated by their authenticator app.

Once both steps succeed, Tosi Control grants access.

This process applies only to Tosi Cloud-based authentication.

8.3 Enabling MFA as a User

Users who sign in using Tosi Cloud credentials can enable MFA at any time.

8.3.1 How to enable MFA

  1. Log in using your Tosi Cloud username and password.

  2. Open:
    User Avatar → My Settings → User Profile Settings

  3. Scroll to the Multi‑Factor Authentication section.

  4. Click Enable MFA.

  5. Follow the on-screen instructions to pair your authenticator app (e.g., Microsoft Authenticator, Google Authenticator).

  6. Once completed, MFA becomes active and will be required during future logins.

8.3.2 Requirements

Users logging in through SSO do not use MFA inside Tosi Control and will not see MFA setup options.

8.4 Resetting MFA for a User

ADMINs and OWNERs may reset a user’s MFA configuration if needed (e.g., lost phone, app reset).

8.4.1 Reset options are available in:

8.4.1.1 The Users List

8.4.1.2 The Individual User Page

After a reset, the affected user will be required to reconfigure MFA at their next login.

Note: MFA resets apply only to users authenticated via Tosi Cloud credentials.

8.5 Organization‑Level MFA Enforcement

The OWNER or ADMIN can require all Tosi Cloud users to enable MFA before they can access Tosi Control.

8.5.1 How to enable MFA enforcement

  1. Navigate to:
    Settings → Authentication

  2. Locate the section Require Multi‑Factor Authentication

  3. Toggle the enforcement switch ON

Once enabled:

8.5.2 Disabling MFA enforcement

Toggle the same control OFF to make MFA optional again.

Enforcement does not disable or remove MFA from users who already set it up.

8.6 MFA Notifications

Tosi Control integrates MFA status updates into the Notification Center.
ADMINs and OWNERs may see:

These notifications appear in the header and remain available until cleared.

8.7 MFA and SSO

When a user logs in via SSO:

8.8 When MFA Reset May Be Needed

ADMINs or the OWNER may reset MFA for users when:

A quick MFA reset allows users to reconfigure MFA on the next login.

8.9 MFA Troubleshooting

8.9.1 User cannot complete MFA setup

8.9.2 User enabled MFA but can no longer authenticate