# Extension Authentication Configuration ### Automatically Prompting for User Authentication {% hint style="info" %} If you are using SAML/SSO, see the instructions at [Setting Up SAML/SSO](/enterprise-it-setup/authentication/setting-up-saml-sso.md). {% endhint %} By default, on installation, the PixieBrix browser extension prompts the team member to link the extension to a PixieBrix account. However, if the team member closes the extension, PixieBrix will not prompt them to link the extension again. To require a team member to log in to the PixieBrix extension, supports using [Chromium’s Managed Policy feature](https://www.chromium.org/administrators/configuring-policy-for-extensions/) to associate the extension with your organization. As part of the PixieBrix heartbeat every 5min., PixieBrix will check if it’s unlinked and prompt the user to link their extension. In Chrome's `chrome://policy/` screen, if you have the PixieBrix browser extension installed, you’ll see the policy value you've provided under the PixieBrix section. For example:

Example: PixieBrix policy section in Chrome/Microsoft Edge with managedOrganizationId policy configured

**Windows Registry Setting** On Window, use the registry or ADMX policy to set the `managedOrganizationId` policy for the extension: The extension policy is in the following hive: ``` HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\mpjjildhmpddojocokjkgmlkkkfjnepo\policy ``` The policies should be configured as follows: | Name | Type | Data | | --------------------- | ------- | ------------------------- | | managedOrganizationId | REG\_SZ | *Your team's tenant UUID* | ### Blocking Page Access for Unauthenticated Users PixieBrix supports blocking access to URLs for unauthenticated users. If an unauthenticated user visits a blocked page, they will be redirected to the PixieBrix login page (or an SSO login page if SSO is enabled for your team). **Configuring the Extension Policy** | Name | Type | Data | | --------------------- | ---------- | ------------------------- | | managedOrganizationId | REG\_SZ | *Your team's tenant UUID* | | enforceAuthentication | REG\_DWORD | 1 | **Configuring the URL Denylist** {% hint style="warning" %} Do not add any login flow URLs to the denylist. Adding login URLs will prevent users from authenticating. {% endhint %} The denylist of URLs is configured in the Admin Console, under your team's Settings page. Provide a list of [match patterns](https://developer.chrome.com/docs/extensions/develop/concepts/match-patterns) to deny. ### SAML/SSO Authentication See the instructions at: [Setting Up SAML/SSO](/enterprise-it-setup/authentication/setting-up-saml-sso.md) ### Disabling Incognito Mode The PixieBrix browser extension does run not in Incognito mode. To prevent users from bypassing the extension by using Incognito mode, set the browser extension policy to disable Incognito mode: * [Chrome Enterprise and Education Help article on managing private browsing](https://support.google.com/chrome/a/answer/9302896?hl=en) * [Chrome Policy Setting Documentation for IncognitoModeAvailability ](https://chromeenterprise.google/policies/#IncognitoModeAvailability) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.pixiebrix.com/enterprise-it-setup/browser-extension-installation-and-configuration/browser-extension-configuration-policy/extension-authentication-configuration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.