Target Audience
This content is intended for customers who meet all of the following criteria.
- Customers who have been provided with individual implementation support.
- Customers using Access Control.
Purpose
- This document compiles frequently asked questions after the start of operations with Access Control.
Notes
- This article is intended for customers implementing the deployment structure individually communicated by our company.
- The content of this article is based on the product as of May 2025 and may change without notice thereafter.
Table of Contents
1. About Single Sign-on (SSO) and Federation
2. About Access Control for Microsoft 365 and Google Workspace
3. About Device Certificate
4. Other Topics
1. About Single Sign-on (SSO) and Federation
What services can use Single Sign-on with Access Control?
・In general, cloud services that support SAML 2.0 or Open ID Connect (OIDC) standards can use Single Sign-on. We have many services with Single Sign-on achievements and manuals available, so please check the link below for details.
Services that can use Single Sign-on with HENNGE Access Control
Is it possible to have both users who use Single Sign-on with Access Control and users who sign in directly on the service side as before?
・Depending on the service, it is possible. However, the possibility and method depend on the SSO specifications of each service. We do not have comprehensive information on the compatibility of all services, so please check with each service provider for details on the compatibility status.
Is it necessary to create users on both Access Control and the service to which Single Sign-on is performed?
・For Microsoft 365 and Google Workspace, there is a user synchronization feature, so if you create a user on the Access Control side, there is no need to create a separate user on the service side. However, for services that do not support the user synchronization feature, it is generally necessary to create and manage users individually on the service side.
※If using Microsoft 365 and performing AD synchronization, the automatic creation of users in Microsoft 365 is done by Microsoft Entra Connect, not Access Control.
※For Salesforce and Cybozu, user provisioning can be synchronized from Access Control to Salesforce and Cybozu only if you have subscribed to the HENNGE One Pro or HENNGE One IdP Pro plan.
Please check the link below for details.
What is the HENNGE Access Control User Provisioning Feature?
2. About Access Control for Microsoft 365 and Google Workspace
For each app or service in Microsoft 365 and Google Workspace, is login via Access Control required every time?
・In Microsoft 365 and Google Workspace, due to the product specifications of each company, sessions are maintained for a certain period, so login via Access Control is not necessarily required every time.
For example, when using Microsoft 365-related applications, a session valid for 90 days from the last sign-in is issued, and as long as the user continues to use it regularly, the login state may be maintained for a long period. The behavior of these session managements is based on the specifications of Microsoft and Google, and cannot be controlled by Access Control. Therefore, please check the specifications of the service you are using to see how long the session is maintained.
Please check the link below for details.
About the Relationship Between Cloud Service Authentication Sessions and HENNGE Access Control
If the previous session is maintained, is it possible that access is allowed from outside the permitted range?
・That is correct. For example, if you are already using Microsoft 365-related applications and the session is maintained, even if the device connects from an IP address range not permitted by the administrator, access may be allowed as long as re-authentication does not occur on the Microsoft 365 side, and Access Control's access control is not applied.
On the other hand, if you try to sign in to Microsoft 365 anew, authentication by Access Control will be executed, and if the access is from outside the range permitted by the administrator, it will be blocked, thus preventing unauthorized access by third parties.
Are there any accounts that are not subject to access control in Microsoft 365 and Google Workspace?
・Please note that the following accounts are not subject to access control by Access Control.
・Users using onmicrosoft.com (initial domain) (Microsoft 365)
・Privileged administrator users (Google Workspace)
・Users performing basic authentication with POP / IMAP / SMTP protocols (Google Workspace)
3. About Device Certificate
Is there an expiration date for the device certificate?
・The device certificate has an expiration date of 5 years from issuance.
How is the renewal of the device certificate performed?
・Please check the link below for details on renewing the device certificate. The procedure involves having the end user install a new certificate.
[Device Certificate] Renewal of Device Certificate with Expiration Date Within 30 Days
Is it possible to temporarily use device certificates on both old and new devices due to device replacement?
・Yes, it is possible. In this case, there may be a temporary exceedance of the maximum number of device certificates that can be issued based on the contracted license, but by using the replacement function, it is temporarily possible to issue up to 150% of the maximum number of device certificates that can be issued.
Please check the link below for details.
[Device Certificate] Procedure for Device Certificate Migration During Device Replacement
4. Other Topics
For other frequently asked questions, please check the links below.
[General About Access Control] Frequently Asked Questions (FAQ)
[About Device Certificate] Frequently Asked Questions (FAQ)