Configure Authentication Methods for a Tenant
Each Authway instance have at least Username/password and Microsoft Authentication configured, but there can also be more authentication methods such as social logins, verified identities such as Swedish BankId, One-time Password and others. All instance configured authentication methods can be turned off for a specific tenant if it shouldn’t be allowed. It is also possible to add tenant specific authentication methods for OpenId Connect or SAML protocols.
Tenant specific authentication is possible to configure after registering a unique identifier for the tenant that will be part of the URLs during sign-in flow. Use tenant name of an abbreviation of the name.
Auto-provisioning
Auto-provisiong is the concept of automatically handle the complete life-cycle of users in their home catalog (realm). It has the following benefits:
- Single-sign-on with their existing business accounts.
- During sign-in all information about the user, such as name and e-mail, is updated from the information provided by their home catalog.
- Automatic synchronization of user permissions. This is done by synchronizing the Authway groups the user should belong to by matching the external groups with the groups/roles that the user belongs too in their home catalog.
- Automatic creation of new users and assignment of groups in the same way as above. This can be done by registering trusted domain(s) for the tenant. The trusted domain should match everything after the “@” character in the e-mail address that the user enters when signing in.
For auto-provisioning to work at least one of the allowed authentication methods on the tenant must be configured to allow auto-provision and also one or more trusted domains must be configured.
Auto-linking
Auto-linking is very similar to auto-provisioning, with the difference that a user can’t be automatically created. Instead the user must be created by the administrator or through API calls. Auto-linking does not require any trusted domains to be configured for the tenant.
The benefits of using auto-linking is very similar to auto-provision except for initial creation of users.
Social Sign-in Methods
When using social sign-in methods, such as Microsoft, Google, Apple and other, we recommend that the privacy policy includes information about this. For some of them, for example Google, it is required. The information we suggest is included can be something like this:
" When you use a social login, such as Microsoft, Google [include the ones used], we collect a unique identifier, your name and e-mail address from the service. "
We have somewhat limited possibilities to configure Google authentication, because of the requirements set by Google. Our only possibility is to administrate the simplest form of integration, without brand recognition. If you want to display your logo and/or a specific application name, the configuration must be done with from Google accounts that has access to Google Search Console where your domain is verified (which means this also requires a custom domain for you Authway instance). We can of course help and guide in the process, or be invited with enough permissions to your Google Console.