Authentication Overview
Your community's web experience is a public URL, and if your mobile app is published in the App Store and Google Play then anyone can download the apps. The public access makes it easy to reach your community's landing page, where the users either sign in or register. Therefore, controlling access to your content requires carefully considering your authentication configuration. There are two core authentication options - Firstup Sign-In or SSO (single sign-on). Firstup Sign-In includes both a Username and Email option, and both can have User Verification.
All authentication options are compatible with User Sync.
In the mobile app experience, both Firstup Sign-In and SSO can have an added layer of biometric access for reopening the mobile app. Note, biometric does not replace the sign-in process, biometric access is in addition to the user sign-in.
You can review all of your authentication options at any time with your Firstup contact. Please reach out to your Customer Success Manager to review how our options fit your particular needs.
User Sessions
With both Firstup Sign In and SSO, user sessions are treated the same way. Web experience and mobile app experience user sessions do not automatically expire. This helps drive user retention and keeps engagement high. However, session timeout can be configured via Creator Studio by navigating to Configure > Session Options.
If you have users who no longer have access to the community, deactivating their profile will immediately end all Firstup sessions (web experience, mobile app experience, microapps, and Creator Studio) and prevent them from accessing the community again. You can deactivate a user manually at any time via the Users page in Creator Studio. To automate deactivating users, please review our deprovisioning API option.
Opening Sign-In Options
Only Brand Super Admins or other applicable custom roles can see or change the sign-in configuration.
Navigate to Configure > User Access.
Firstup Sign-In
When your community is configured for Firstup Sign-In, your users create an account with Firstup and set a password that is encrypted and stored by Firstup. You can allow users to register with Firstup using either a username or email.
Username
When Username is enabled, users can set a username using any string of characters. There is no confirmation email, but they are required to complete User Verification. This means that you must set up User Verification before you can enable Username.
If you can't see the Username option, please contact Firstup Support.
When Email (Known or Other) is enabled, users can register using an email that meets the allowed domains. You can choose to require User Verification for either (or both) Known and Other Email Domains.
All users that register via email will need to confirm their emails via an email confirmation link that is sent to them before they set their password.
Note: To ensure your employees receive the email confirmation from the Firstup platform, please work with your IT department to allowlist the Firstup email domain and IP address within your company email system. If the email confirmation is caught in a spam filter, your users will not be able to complete registration.
Known Email Domains allows you to specify that users with the listed email domains can register for your community. Other Email Domains allows you to permit users with any other email domain to register.
An example of how to combine Known and Other Email Domains is the following:
- Enable Known Email Domains and set the allowed domains to your company domain, such as elevationendurance.com. Do not enable User Verification for the Known Email Domains.
- Enable Other Email Domains and require User Verification.
The effect of the above combination is that your employees can register without going through User Verification and then users with any other email domain (such as gmail.com, yahoo.com) must complete User Verification before they gain access to private content.
User Verification
User Verification confirms user identity by personal details such as name, date of birth, employee ID, etc. Exactly what data is used to confirm their identity is determined by you. User Verification only needs to be completed once by each user - once they are fully registered, they will not need to revisit User Verification.
If enabled, Registering users will see User Verification questions at the top of Latest above public (shareable, untargeted) content until they complete the questions. After they complete verification, the user will become Registered and see the private content (non-shareable, targeted).
User verification is always used in conjunction with Username and can be used in conjunction with Known and/or Other Email Domains.
User Verification cannot be configured or managed in Creator Studio and will require transferring the employee data using CSV via SFTP. Want to learn more about this option? Contact your Customer Success Manager for information!
SSO (Single Sign-On)
If you have SSO set up at your organization, it allows a user to sign in to multiple different systems with the same ID and password. Firstup can be configured to work with your existing SSO setup, which would mean that the usernames and password are managed by your Identity Provider (IdP).
Employees that register via SSO do not see User Verification questions, but will still be presented with the welcome video. The user will be linked with their existing profile on Firstup if one has been created via user sync, or otherwise a new profile will be created using the data from the SSO request.
If you would like to leverage SSO, please review automated Deprovisioning with your Firstup contact. Deprovisioning will be a necessary addition to managing user access via the SSO IdP as deprovisioning will terminate active sign-in sessions for separated employees.
To get started with an SSO integration, please reach out to your Customer Success Manager.
Renewing the SAML X.509 Certificate
SAML certificates have a limited validity period, usually ranging from a few months to a few years. If a certificate expires, it will no longer be trusted by Firstup, and user will be unable to sign in via SSO. Therefore, you need to renew your certificates before they expire, or replace them with new ones if they are revoked or compromised.
New certificates must be applied by Firstup Support. It is recommended that you submit a ticket to Support at least a week before the current certificate will expire. Once a ticket has been submitted, Support will request the following:
- The new certificate either as XML metadata or as text (base64).
Firstup are unfortunately not able to apply a DER (.cer) or PEM (.pem) file. - Confirmation of which certificate to replace if you have multiple configurations (e.g. Experience and Creator Studio).
- Date and time (including timezone) when the certificate will be applied.
We can accommodate any time from 1am - 5pm PST, Monday-Friday (except holidays - see Support Availability), regardless of your support package. - Have a user stand by to log out/log in after the update to ensure the changeover went well. Support can join a Zoom or Teams meeting to ensure any issues are identified and addressed immediately.
Default Sign-In Option and Labels
It is possible to have multiple authentication options enabled simultaneously for your community. If both Firstup Sign-In (Username and/or Email) and SSO are enabled, then users will see text that allows them to switch between Firstup Sign-In and SSO.
When you have multiple authentication options enabled, you can set the Default Sign-In Option at the top of the Sign-In Options page. All users will land on the default sign-in tab first but have the option to toggle to the second option. You can also customize the Login Page Label that appears to users. Type in up to 15 characters (including white spaces) to update the label to fit your organization.
Default Labels vs Customized, both with SSO set as the default sign-in option:
Note: With more than one authentication option enabled, it is possible for users to create duplicate accounts. We recommend that you consult with your Customer Success Manager before enabling more than one authentication option at a time.
Comments
0 comments
Article is closed for comments.