Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.enneo.ai/llms.txt

Use this file to discover all available pages before exploring further.

Enneo offers two independent mechanisms for controlling system access: a network-based IP whitelist and an identity-based configuration of permitted login methods. Both mechanisms act on different levels and can be combined.

IP Whitelist

The IP whitelist restricts access to Enneo based on the network address of the requesting client. If the setting is active, all requests from users are rejected whose IP address is not included in the list. The configuration can be found under Advanced settings → Privacy → Access control - IP Whitelist. The setting accepts a list of IP addresses or CIDR ranges. Both IPv4 and IPv6 are supported. 
["192.168.1.0/24", "10.0.0.5", "2001:db8::/32"]
If the list is empty, access is possible without IP restriction. As soon as at least one entry is set, each request is checked — if there is a match, access is granted, otherwise it is denied.
When setting the IP whitelist, the system checks whether the own IP address of the configuring user is also included in the list. If this is not the case, the save is rejected — as protection against accidental self-locking.

Login methods (OAuth / SSO)

Enneo supports several login methods that can be configured per tenant. The SSO configuration can be found under Advanced Settings → Single-Sign-On.

Permitted Login Methods

The setting determines which login types are active:
ValueDescription
microsoftMicrosoft Azure AD / Entra ID (OAuth2/OIDC)
googleGoogle OAuth2
oauthGeneric OAuth2 provider (configurable)
localLocal login with email and password
Users who were created exclusively through SSO cannot log in through local login — even if local is activated.

Allowed Email Domains

If this setting is set, new users will only be created if their email address belongs to one of the configured domains. 
["example.com", "partner.org"]
Existing users are not affected — the check is exclusively done when a new account is created via SSO. If the list is empty or not set, there are no domain restrictions.