Company Settings Tab

Use this tab to establish functional preferences as well as company and email system defaults.

These data fields are company-specific and effective for this company only.

Company Settings

Field Description
Apply Organization Security

Select this check box to apply organization security for the company.

Note: You must specify an organization security group when linking users or user groups to companies on the Manage Users screen or the Manage User Groups screen.
Allow Reusing of Passwords

Select this check box to allow users to reuse old passwords. If this check box is later cleared, Costpoint will start to save used passwords, and users are not able to reuse any password established from then on.

Previously used passwords are not saved in the history file.

Header Color

Select a background color for this company from the drop-down list. When users access this company, the color is applied to the Global Menu.

Display System in the Header Select this check box to display the system name on the Global Menu.
Apply Org Security for Employees without User ID Select this check box to validate employees who do not have User IDs. Clear the check box to only validate employees who have a User ID.
Allow HR Org Manager/Rep/Spvsr from Other Companies

Select this check box to allow entry of Human Resources (HR) organization managers, representatives, or supervisors that do not belong to this company.

This check box is only available if this company is licensed for HR.

Environment Name Enter an environment name that will display on the Global Menu.

Email System

Costpoint uses this group box to connect to the SMTP server for routing outgoing email messages.

Field Description
SMTP Server Name

Enter the name of the email server that is responsible for sending outgoing mail.

SMTP Port Number

Enter the port number to use when sending email via SMTP protocol.

SMTP Server User ID

Enter a system account user ID to use for SMTP server authentication.

Password

Enter the password for the SMTP Server User ID. 

E-mail Redirect Enter an email address where all emails will be redirected.
Require SSL/TLS

Select this check box if your SMTP server requires encryption.

SSL is a term commonly used when referring to both Secure Sockets Layer technology and its successor, Transport Layer Security (TLS). Although you may see references to SSL in the application's user interface, all Deltek applications use current TLS protocols to provide protected connections between web servers and web browsers.

Send all emails from SMTP Server User ID Select this check box if you want to send all emails from the SMTP Server User ID.

Company Defaults

Use this group box to set the company defaults. You can override these settings using the Configure User Preferences screen and/or the Manage Users screen.

Field Description
Print Cover Page

Select this check box to always print a cover page for reports.

Report Table Purge (Days)

Enter the number of days after which Costpoint must purge the report table data.

Costpoint User Accounts

Use this group box to enable and set the defaults for the user creation functionality on the Manage Employee Information screen.

Field Description
Auto-create User Accounts

Select this check box to enable automatic user account creation functionality on the Manage Employee Information screen.

Authentication Method

Select the default authentication method to use when creating user accounts automatically.

Generate Random Password

Select this check box to enable the application to generate a random and temporary password based on your system password policy (minimum length, require number, mixed case, and so on). The password is then captured and communicated to the end user in an email.

This option is available only if the Database, Windows Domain and Database, or Kerberos Single Sign-on or Database option is selected from the Authentication Method drop-down list.

Manage User Groups in AD

Select this check box to manage user groups in the Active Directory. This check box is enabled only when you select specific options from the Authentication Method drop-down list.

Note: If you clear this check box or change the authentication method and users are assigned to user groups linked to the Active Directory, the users will remain assigned to those user groups. When you remove users from the Active Directory, they will also be removed from the Costpoint user group linked to the Active Directory.
Preferred Notification Method

Select one or more notification methods for Costpoint to inform users of application updates. The options are:

  • Device Notification
  • Email
  • SMS Message

Email is the default notification method. Costpoint must be configured for Skype for Business for the IM option to display.

The Device Notification method sends Costpoint alerts to a laptop or mobile device using the default notification method on the device.

Passkey (FIDO)

Select this check box to let users log in using a biometric device, such as a FIDO USB key or biometrics (a fingerprint, face recognition, or personal PIN).

2FA Settings

Use this group box to establish two-factor authentication (2FA) settings for the company. If 2FA is enabled, Costpoint will ask users to enter a one-time passcode after entering their user name and password on the Costpoint login screen.

This group box is disabled if the selected authentication method is Kerberos Single Sign-on, Kerberos Single Sign-on or SAML Single Sign-on, SAML Single Sign-on, or Certificate Single Sign-on.

Field Description
None

Select this option if you do not want to enforce 2FA for this user.

Mobile Application

Select this option if you want to enforce 2FA and allow users to generate a one-time passcode through a mobile device.

Additional steps are required for users to fully enable this authentication method. After installing a 2FA application on a mobile device, a user must go to the Configure User Preferences screen to display the 2FA activation bar code, scan it, and complete 2FA enrollment.

Email

Select this option if you want to enforce 2FA for the company and have Costpoint generate a one-time passcode that will be emailed to users. Users can also receive the passcode by calling the Help Desk.

Passkey

Select this option to use a FIDO USB key or biometrics (a fingerprint, face recognition, or personal PIN) for 2FA for the company.

Supplier Portal User Accounts

Use this group box to enable and set the defaults for the creation of Vendor Contacts user accounts on the Approve Prospective Vendors screen and Manage Vendors screen. This section is available if you are licensed to use the Supplier Portal.

Field Description
Supplier User Login Creation Select whether to automatically create a Supplier user login or have the system admin create it.
  • Auto-Create: Select this option for Costpoint to create users automatically for Vendor Contacts when approved via Manage Contract Management Vendor Information (CTMVEND) or created in Manage Vendors (APMVEND).
  • Sys Ad creates Supplier Portal Login: Select this option to enable users to submit a request to the system admin to create a user login for the Vendor Contact.
  • None: Select this option to disable this feature.
Sys Ad Email Enter the email address of the person who will receive the notification request for the creation or completion of the vendor user.
SP User Group Enter, or click to select, a default user group to assign to the new users created for the vendor contacts.
SP User Org Sec Group ID Enter or select the default org security group ID for the new users created for the vendor contacts.

Authentication Defaults

Use this group box to select the default authentication method for the new users created for the vendor contacts.

Field Description
Authentication Method

Select the authentication method.

Authentication Method Description
Kerberos Single Sign-on This method enables users to log in to a network and access all authorized resources within the enterprise or at different web sites on the internet. A single sign-on program accepts the user's name and password and automatically logs in to all appropriate servers. In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users should not enter their user ID and password on the login screen.
  • This method can be used only for in-house users.
Passkey (FIDO) In the Fast Identity Online (FIDO) method:
  • The user ID is stored in the Costpoint database.
  • There is no password stored. Authentication is based on using private-key/public-key cryptography and is completely passwordless. To log in, a user must have a valid FIDO device such as a FIDO USB key or use a biometric method (typically a fingerprint, face recognition, or personal PIN).
  • Users must enter their user ID on the login screen.
  • This method can be used for either in-house users or remote consultants or subcontractors.
SAML Single Sign-on This method enables users to log on to Costpoint in Single Sign-on mode through the Security Assertion Markup Language (SAML) tokens. This method is allowed if the user is previously authenticated with a third-party SAML Identity Provider, such as Microsoft Active Directory Federation Services (AD FS) or Microsoft Azure. User's credentials are stored and verified by the SAML Identity Provider.
Kerberos Single Sign-on or SAML Single Sign-on This method enables users to log on to Costpoint Single Sign-on mode either through Windows AD Kerberos tokens (if a user is successfully authenticated to LAN), or through the SAML tokens. If you choose this option, select a provider in the SAML Identity Provider field.
OIDC Single Sign-on This method enables users to log on to Costpoint in Single Sign-on mode through OpenID Connect (OIDC) tokens.
Kerberos Single Sign-on or OIDC Single Sign-on This method enables users to log on to Costpoint in Single Sign-on mode either through OpenID Connect (OIDC) or Kerberos tokens.
Database In this method:
  • The user ID and password are stored in a Costpoint database.
  • Oracle or SqlServer database user accounts are not used.
  • The password is stored in a hashed form: SHA-2 (Secure Hash Algorithm-2) with the user ID used as a 'salt.'
  • A challenge-response algorithm is used for authentication with a server-side generated nonce ('nonce' - a random number that is generated to protect against 're-play' attack).
  • The user-credentials combined with a nonce pass from the client in an encrypted form (Advanced Encryption Standard).
  • Users must enter their user ID and password on the login screen.
  • This method can be used for all three security use-cases: in-house, consultants, and remote.
  • This is the only method that can be used for remote office users.
Active Directory This method is an advanced, hierarchical directory service that comes with Windows 2000 servers. In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users must enter their user ID and password on the login screen.
  • Either Costpoint or Active Directory user ID can be used to log in to Costpoint.
  • This method can be used for either in-house users or consultants.
Kerberos Single Sign-on or Active Directory In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • Users are allowed to log in using either the Active Directory or Single Sign-On methods.
  • The Single Sign-On method requires a user to be logged in to the LAN.
  • This method can be used either for in-house users or consultants but is intended for consultants. Users can take advantage of Single Sign-On while logged in to the LAN but will still be able to log in using the Active Directory method while traveling or at a customer site.
Kerberos Single Sign-on or Database In this method, you can use either the Single Sign-on or Database authentication approach. Single sign-on would only work if the client is already authenticated on the domain, which usually happens when the client is already within the network. If the end user is remote and not logged into the windows domain, then the User ID and password can be validated against the database (Database authentication).
Windows Domain and Active Directory In this method:
  • The user ID is stored in both the Active Directory and a Costpoint database.
  • The Costpoint user ID can be mapped to a different Active Directory user ID.
  • The password is stored only in the Active Directory.
  • The following two conditions should be met for successful login:
  • Users must enter their user ID and password on the login screen.
  • Users must be logged in to the LAN.
  • This method can be used only for in-house users.
  • This method provides extra security. The Active Directory method is used as a starting point, but users must also be logged in to the LAN. Users cannot log in from outside of the corporate network.
Windows Domain and Database In this method:
  • The user ID and password are stored in a Costpoint database.
  • The same rules for password storage and transmission apply as for the Costpoint Database authentication method.
  • The following two conditions should be met for successful login:
  • Users must enter their user ID and password on the login screen.
  • Users must be logged in to the LAN.
  • This method can be used only for in-house users.
  • This method provides extra security. The Costpoint Database method is used as a starting point, but users must also be logged in to the LAN. Nobody can log in from outside of the corporate network.
Certificate Single Sign-on Select this method if your server is Transport Layer Security (TLS) -enabled and you have a TLS client certificate installed on the workstation.

With this authentication method, you do not need to enter a user ID and password to log in to Costpoint. The system matches the ID in the certificate to the Costpoint user with this authentication ID.

You must also enter the ID in the Active Directory or Certificate ID field. If the ID field is not populated when you insert or update a user record, this error displays: "With the authentication method you've selected, you must also enter an Active Directory or Certificate ID."

Passkey (FIDO)

Select this checkbox to let users log in using a biometric device, such as a FIDO USB key or other biometric option (a fingerprint, face recognition, or personal PIN).

Generate Random Password

This checkbox will generate and send a random and temporary password based on your system password policy via email when a user is automatically created.

This checkbox is selected only when the Database, Windows Domain and Database, Kerberos Single Sign-on or Database option is selected in the SP Authentication Method list.

Manage User Groups in AD

Select this checkbox to manage user groups in the Active Directory. This checkbox is enabled only when you select any of the following options from the Authentication Method field:

  • Single Sign-on
  • Active Directory
  • Single Sign-on or Active Directory
  • Single Sign-on or Database
  • Windows Domain and Active Directory
  • Windows Domain and Database

When you select this checkbox for the new users, they will automatically be assigned to user groups mapped to the Active Directory entered in the Active Directory or Certificate ID field. Upon login, the user groups linked to the Active Directory where this user belongs display on the Assigned User Groups subtask. User groups linked to a user but are not mapped to the Active Directory still display on the Assigned User Groups subtask. A user can be a member of Costpoint-only user groups and can also dynamically become a member of other user groups linked to the Active Directory.

2FA Settings

Use this group box to establish two-factor authentication (2FA) settings. If 2FA is enabled, Costpoint will ask users to enter a one-time passcode after they enter their user name and password on the Costpoint login screen.

This group box is disabled if the selected authentication method is Single Sign-on or Certificate SSO.

Field Description
None

Select this option if you do not want to enforce 2FA.

Mobile Application

Select this option if you want to enforce 2FA and allow users to generate a one-time passcode through a mobile device.

Additional steps are required for users to fully enable this authentication method. After installing a 2FA application on a mobile device, a user must go to the Configure User Preferences screen to display the 2FA activation barcode, scan it, and complete 2FA enrollment.

Email

Select this option if you want to enforce 2FA for the new user accounts and have Costpoint generate a one-time passcode that will be emailed to users. Users can also receive the passcode by calling the Help Desk.

Passkey

Select this option to use a FIDO USB key or biometrics (a fingerprint, face recognition, or personal PIN) for 2FA for the company.