Security
Access Control
IP Whitelist and login methods (OAuth/SSO) — Configuration and Operation
Enneo offers two independent mechanisms for controlling system access: a network-based IP whitelist and an identity-based configuration of permitted login methods. Both mechanisms act on different levels and can be combined.
IP Whitelist
The IP whitelist restricts access to Enneo based on the network address of the requesting client. If the setting is active, all requests from users are rejected whose IP address is not included in the list.
The configuration can be found under
Advanced settings → Privacy → Access control - IP Whitelist.
The setting accepts a list of IP addresses or CIDR ranges. Both IPv4 and IPv6 are supported.
["192.168.1.0/24", "10.0.0.5", "2001:db8::/32"]If the list is empty, access is possible without IP restriction. As soon as at least one entry is set, each request is checked — if there is a match, access is granted, otherwise it is denied.
Tip
When setting the IP whitelist, the system checks whether the own IP address of the configuring user is also included in the list. If this is not the case, the save is rejected — as protection against accidental self-locking.
Login methods (OAuth / SSO)
Enneo supports several login methods that can be configured per tenant.
The SSO configuration can be found under Advanced Settings → Single-Sign-On.
Permitted Login Methods
The setting determines which login types are active:
| Value | Description |
|---|---|
microsoft | Microsoft Azure AD / Entra ID (OAuth2/OIDC) |
google | Google OAuth2 |
oauth | Generic OAuth2 provider (configurable) |
local | Local login with email and password |
Note
Users who were created exclusively through SSO cannot log in through
local login — even if local is activated.
Allowed Email Domains
If this setting is set, new users will only be created if their email address belongs to one of the configured domains.
["example.com", "partner.org"]Info
Existing users are not affected — the check is exclusively done when a new account is created via SSO. If the list is empty or not set, there are no domain restrictions.