Account recovery (ACR)

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Account Recovery (ACR)

    The Account Recovery (ACR) feature allows administrators to manage account recovery activities related to Single Sign-On (SSO) configurations, such as addressing SSO misconfigurations or expired certificates. Enabling ACR disables local interactive logins when SSO is active.

    Show full answer Show less

    Key Features

    • Bypass SSO login to resolve SSO configuration issues.
    • Log in with SSO using an ACR-administered account.
    • Utilize self-service capabilities for account recovery needs.
    • Enhance security by reducing unauthorized access to instances.

    Key Outcomes

    To implement ACR on a fresh instance, activate the Multi-SSO plugin and ensure ACR is enabled by default. Administrators must enroll as ACR users and set up local login credentials and MFA. For upgraded instances, similar steps apply, with a requirement to enable ACR manually.

    It's crucial to register at least one admin account as an account recovery user before activating SSO. This enables the account recovery feature while maintaining SSO functionality. Changes to account recovery settings can be managed through system properties.

    After configuring ACR and SSO, local logins are restricted, enhancing security through the SSO-ACR context policy.

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates.

    Note:
    Enabling ACR disables the local interactive log-ins (username or password based) when SSO is enabled to your instances.

    ACR provides the following capabilities:

    • Bypass your single sign-on (SSO) login to address issues with SSO configuration as an administrator.
    • Log in with using SSO to perform tasks with an administrator account configured as an account recovery.
    • ACR flows enable the administrators to use self-service capabilities to address account recovery when there’s a need for recovery, for example, SSO miss-configuration, expired certificates.
    • Reduce unauthorized access to the instance and provide a strong foundation to use ACR outside SSO use cases.

    Fresh Instance

    For a fresh instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled) - This is enabled by default in case of a fresh instance.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
      Note:
      Setting this property to false will not disable multi-provider SSO if Account Recovery (ACR) is also enabled on the instance. To log in with a username and password ACR must also be disabled using the glide.sso.acr.enabled property. For details on this property see Account recovery properties.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Upgraded Instance

    For an upgraded instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled)
      Note:
      In case of upgraded instance, the administrator must enable ACR.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Configure account recovery users

    To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For details on this process, see Configure an account recovery user from the Account Recovery Properties page.
    Note:
    If you’re upgrading an instance already using single sign-on to Rome or a later release, single-sign on will continue to function without a recovery user configured.

    Account recovery configuration

    The account recovery feature is included with the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugins. The feature is enabled by default. You can change this and other account recovery settings using system properties. For details on these properties, see Account recovery properties.

    Account recovery policy context

    After you’ve registered an account recovery user and enabled single sign-on (SSO), your instance restricts all local logins. This restriction is defined in the SSO - ACR Context auth policy context. For more information about the context, see Account recovery context.

    For details on how authentication policies and policy contexts, and how they work on your instance, see Adaptive authentication.