# Extension Authentication Configuration

### Automatically Prompting for User Authentication <a href="#block-d5ca2351ea324852a08f4b4ffabdb253" id="block-d5ca2351ea324852a08f4b4ffabdb253"></a>

{% hint style="info" %}
If you are using SAML/SSO, see the instructions at [setting-up-saml-sso](https://docs.pixiebrix.com/enterprise-it-setup/authentication/setting-up-saml-sso "mention").
{% endhint %}

By default, on installation, the PixieBrix browser extension prompts the team member to link the extension to a PixieBrix account. However, if the team member closes the extension, PixieBrix will not prompt them to link the extension again.

To require a team member to log in to the PixieBrix extension, supports using [Chromium’s Managed Policy feature](https://www.chromium.org/administrators/configuring-policy-for-extensions/) to associate the extension with your organization. As part of the PixieBrix heartbeat every 5min., PixieBrix will check if it’s unlinked and prompt the user to link their extension.

In Chrome's `chrome://policy/` screen, if you have the PixieBrix browser extension installed, you’ll see the policy value you've provided under the PixieBrix section. For example:

<figure><img src="https://images.spr.so/cdn-cgi/imagedelivery/j42No7y-dcokJuNgXeA0ig/10fda7b9-f70c-4659-a8e8-121039c3f152/Untitled/w=1080,quality=80" alt="" width="563"><figcaption><p>Example: PixieBrix policy section in Chrome/Microsoft Edge with managedOrganizationId policy configured</p></figcaption></figure>

**Windows Registry Setting**

On Window, use the registry or ADMX policy to set the `managedOrganizationId` policy for the extension:

The extension policy is in the following hive:

```
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\3rdparty\extensions\mpjjildhmpddojocokjkgmlkkkfjnepo\policy
```

The policies should be configured as follows:

| Name                  | Type    | Data                      |
| --------------------- | ------- | ------------------------- |
| managedOrganizationId | REG\_SZ | *Your team's tenant UUID* |

### Blocking Page Access for Unauthenticated Users <a href="#block-cfbba6ca75194968b7b740c7882ce3bd" id="block-cfbba6ca75194968b7b740c7882ce3bd"></a>

PixieBrix supports blocking access to URLs for unauthenticated users. If an unauthenticated user visits a blocked page, they will be redirected to the PixieBrix login page (or an SSO login page if SSO is enabled for your team).

**Configuring the Extension Policy**

| Name                  | Type       | Data                      |
| --------------------- | ---------- | ------------------------- |
| managedOrganizationId | REG\_SZ    | *Your team's tenant UUID* |
| enforceAuthentication | REG\_DWORD | 1                         |

**Configuring the URL Denylist**

{% hint style="warning" %}
Do not add any login flow URLs to the denylist. Adding login URLs will prevent users from authenticating.
{% endhint %}

The denylist of URLs is configured in the Admin Console, under your team's Settings page.

Provide a list of [match patterns](https://developer.chrome.com/docs/extensions/develop/concepts/match-patterns) to deny.

### SAML/SSO Authentication <a href="#block-cfbba6ca75194968b7b740c7882ce3bd" id="block-cfbba6ca75194968b7b740c7882ce3bd"></a>

See the instructions at: [setting-up-saml-sso](https://docs.pixiebrix.com/enterprise-it-setup/authentication/setting-up-saml-sso "mention")

### Disabling Incognito Mode

The PixieBrix browser extension does run not in Incognito mode.&#x20;

To prevent users from bypassing the extension by using Incognito mode, set the browser extension policy to disable Incognito mode:

* [Chrome Enterprise and Education Help article on managing private browsing](https://support.google.com/chrome/a/answer/9302896?hl=en)
* [Chrome Policy Setting Documentation for IncognitoModeAvailability ](https://chromeenterprise.google/policies/#IncognitoModeAvailability)