Access and authentication

To access the Flexxible platform, users can authenticate using the following methods:

• Authentication with a Microsoft Entra ID or Google account
• Authentication with email and password

Authentication with a Microsoft Entra ID or Google account

For Flexxible's single sign-on (SSO) system to validate Microsoft or Google accounts and authorize access to the platform, an administrator needs to grant the following permissions:

• Microsoft Entra ID. Enable the use of a Flexxible Enterprise Application in your tenant.
• Google. Enable the use of a Flexxible OAuth Client ID in your tenant.

This procedure is common in third-party applications that delegate authentication to Microsoft Entra ID or Google. The tenant administrator can always check the data the application has access to, see which users have utilized it, or revoke consent. If it's revoked, users can no longer log in to Flexxible.

Depending on the organization's configuration and security policies, an administrator might need to authorize these accounts the first time they are used.

Enterprise Application Consent and Permissions in Entra ID

Access can be granted to individual users or groups. However, as explained earlier, there is an option to simplify the process: an administrator can grant organizational consent for using the Enterprise Application.

This consent automatically registers the Enterprise Application in the Azure tenant and allows the organization's users to log in to Flexxible using their corporate credentials. It's enough for the administrator to attempt to log in to the Portal for the first time to trigger the consent request.

If consent is configured manually, the Enterprise Application must include the following permissions:

Permission	Caption
Directory.Read.All	Read directory data
email	View users' email addresses
offline_access	Maintain access to data that has been granted access
openid	Log In
profile	View basic user profile
User.Read	Log in and read users' profiles

Authentication with email and password

By default, all users of the Flexxible platform have the option to log in with a Microsoft Entra ID or Google account enabled.

Optionally, users with the Organization Administrator permission can enable login via email and password for other organization members. This way, users can choose how to sign in.

Login process

To log in to the Flexxible platform using email and password for the first time, you must follow these steps:

1. Enable access to email and password authentication for the user. This step must be done by an Organization Administrator.

2. Once enabled, the user will receive a welcome email with a link to create their password. The link is for one-time use only. If they can't log in with it, they can always authenticate with Microsoft Entra ID or Google.

3. Create a password; without it, they can't log in.

4. Set up two-factor authentication through an authentication app. The first time the user attempts to log in with email and password, the platform will prompt them to do so.

5. Log in.

Access to email and password authentication

To activate this method for users, an Organization Admin must first enable the option for email and password authentication at the organization level.

Then, the Organization Admin can enable access for the users within the organization. To do this, Flexxible offers the following options:

• Enable access for a new user
• Enable access for a batch of users
• Enable access from the user table

Enable access for a new user

1. Go to Portal -> Settings -> Users.

2. Click on New. A form will open requesting the user's information.

3. Check the option Enable email/password login.

4. In the form, click on New.

tip

You can find more information on how to create a user in Users.

Enable access for a batch of users

For this action, it's recommended to first export the user list to get the Excel file with the appropriate format:

1. Go to Portal -> Settings -> Users -> Export users.

2. Open the Excel file. In the Email login enabled column, indicate which users will have access enabled: Y (enable) and N (disable).

3. Save the new file and return to the table with the user list:

   Portal -> Settings -> Users

4. Click on Import users. Select the saved file.

5. Click on Import.

Enable access from the user table

1. Go to Portal -> Settings -> Users.

2. Select the users you want to enable access for.

3. In the top menu, click on Email login actions -> Enable email login or Disable email login, as needed.

Reset the password from the user table

1. Go to Portal -> Settings -> Users

2. Select the users who will receive an email with the link to regenerate the password.

3. Select Email login actions -> Resend password reset email.

info

This option is only available for users who have email and password authentication enabled.

Authentication security settings

Flexxible allows managing security levels for email and password authentication, both at user and organization level.

User-level authentication security settings

From Portal -> User Profile -> Settings -> Authentication Security Settings, users can set up three two-factor authentication methods and configure their password.

        ![user-menu](pathname:///assets/images/portal/user-menu.png)

Two-factor authentication

This security measure is available for users who log in using email and password, adding an extra layer of protection to the account.

Authentication Methods

For two-factor authentication, Portal allows enabling three methods:

• Authentication app
• Recovery code
• Email verification

Authentication app

An authentication app allows creating one-time verification codes. When this authentication method is enabled, upon logging into the platform, the user will be prompted to enter that verification code along with their usual password. For this, the user must first download an authentication app, such as Microsoft Authenticator, Google Authenticator, or any other preferred app.

To add this method, the user must click on Enable in the authentication security settings panel. A modal window will display a QR code. When scanned, the user must enter the six-digit verification code provided by the authentication app in the designated field.

Next, a recovery code will be shown, which the user should save in case they ever need to log in and don't have access to the device where the authentication app is installed.

From then on, when logging in, the user will be prompted for the verification code in addition to the password.

When a user first logs into the platform using their email and password, they will be asked to set up this authentication method to enhance account security.

info

Verification Code and Recovery Code are not the same. The first is generated by the authentication app, the second is provided by Flexxible as a precautionary measure.

From the authentication security settings panel, the user can see the date and time a session was started using this method, as well as the date it was added as a two-factor security method.

Recovery code

When the use of the authentication app is enabled, Flexxible generates a recovery code for the user to save and use when they don't have access to the device where the authentication app is downloaded. The Recovery Code option allows regenerating this code if it is lost, to verify the user's identity when they wish to log in.

Email verification

If enabled, it allows verifying the user's identity through an email if they forget their password or don't have access to other identification methods.

To enable this option, the user must click on Enable in the authentication security settings panel. From there, the user can also see the date and time of the last time the method was used, as well as the last time it was added as a two-factor security method.

Reset two-factor authentication

Allows resetting the two-factor authentication methods when a user loses access to the devices that enabled their identification. By pressing Regenerate, the two-factor authentication methods are disabled.

The user can enable them directly from the same security settings panel. Or by logging out and then logging back into the platform.

It also provides information about the date and time the two-factor authentication was last reset.

Password

From the same panel, the user can request the reset of their password. You must press the Resend password reset email button to receive an email with instructions.

It also provides information about the last time the password was changed, the last login, and the last IP address from which they connected.

Authentication security settings at the organization level

An Organization Administrator can enable or disable the option to log in through email and password for users of the organization and its sub-organizations. The functionality can only be enabled or disabled from the main organization if suborganizations are available.

To do this, from the Portal, you must go to Settings -> Organization. And in the left side menu, you must click on the Authentication tab.

Enable or disable the email and password authentication option at the organization level

The button Enable email/password authentication or Disable email/password authentication, as applicable, allows enabling or disabling the possibility for users who are members of an organization or sub-organization to be able to activate login with email and password.

warning

If this option is disabled, users will not be able to log in with email and password or manage their account. All user credentials will be deleted. If this feature is re-enabled, users will need to reset their password and two-factor authentication again.

User table

The user table in the Authentication tab shows the list of organization members. At a glance, you can see which members have the option to log in via email and password enabled.

User authentication detail

By clicking on a user's name in the table, you can access cards with specific information about the authentication method they have enabled:

• Microsoft Entra ID. Position, Phone, Last login, Login count, and Last IP address

• Google. Last login, Login count, and Last IP address

• Email and password authentication. Last login, Login count, and Last IP address. Additionally, from here, the administrator can manage the Authentication security settings for that specific user, which includes Two-factor authentication and Password.

Authentication with SAML

The Security Assertion Markup Language (SAML) is a single sign-on (SSO) technology that allows organizations to connect their identity managers (Okta, Entra ID, among others) with the Flexxible platform, delegating the authentication process to it.

To set up login with this method, you need to make adjustments related to recognizing the organization's domain and integrating with the identity manager used.

Domains

From this tab, an Organization Administrator can register and verify the domains to be used. You can also access the table with the domain list and consult its detail view.

The table shows the following information:

• Domain name. Web address registered by the organization.
• Status. Verified or Not verified.
• Created on. Domain creation date and time.
• Created by. User who registered the domain.

Create a domain

To configure a domain, it must first be registered and then verified.

1. Access Portal -> Organization ->

2. In the menu, select the Domains tab.

3. Click Create domain.

4. Enter the organization's domain (corresponding to the email of the users who will log in with SAML).

   

5. Click on New.

The domain will be added to the table with the status Not verified.

Verify the domain

1. In the Domains table, select the registered domain.

2. A window will appear with instructions to add a TXT record in DNS, necessary to verify ownership.

   

3. Click Verify now to complete the process.

Create an SSO connection

Creating an SSO connection allows users with specific domain email addresses to authenticate through the organization's identity provider.

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. Click Create connection and follow the wizard instructions, which will guide the Organization Administrator through the setup and testing according to the identity manager used.

Available identity managers:

• Okta
• Entra ID
• Custom SAML

For each case, a wizard will guide you step by step in the specific setup within the selected identity manager.

tip

Some of the requested data during setup may have different names depending on the identity manager. For example, in Custom SAML:

• The Single Sign-On URL field may appear in the identity manager as Reply URL (Assertion Consumer Service URL).
• The Service Provider Entity ID field may be called Identifier (Entity ID).

note

If any doubts arise during the setup process, please consult with your contact at Flexxible.

Once the process is completed, users from associated domains will be able to log in by entering their email address in the appropriate field and clicking Continue with email.

If the system recognizes the domain as enabled for SSO, it will redirect the user to the organization's identity manager for authentication.

Edit an SSO connection

The platform allows editing an existing SSO connection either to update the configuration or renew the certificate in case of expiration.

1. Access Portal -> Organization.

2. In the menu, select the SSO Integrations tab.

3. Select a record in the table.

4. Click Edit connection.

   

Checking the Enable SCIM user provisioning checkbox is optional. More information in User provisioning with SCIM.

Remove domain

1. Access Portal -> Organization.
2. In the menu, select the Domains tab.
3. Select the domain in the table that you want to remove.
4. In the detail window, click Remove.

By removing a domain, users associated with it will no longer be able to authenticate via SAML until it is registered again.

Remove an SSO connection

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. Select the corresponding record in the table.

Self-Service Provisioning

The System for Cross-domain Identity Management (SCIM) is a user provisioning and management standard that complements authentication with SAML. It is optional and automates the creation, update, and removal of user accounts in Portal, keeping information synchronized between the organization's identity manager (Okta, Entra ID, etc.) and the Flexxible platform.

When SCIM is enabled, the identity manager can send basic user information (name, email, group) to Portal, simplifying account management. This way, the user's lifecycle in Portal is centrally controlled from the identity manager.

Enable SCIM in Portal

To use SCIM, it is essential to have previously set up authentication with SAML:

1. Access Portal -> Organization.
2. In the menu, select the SSO Integrations tab.
3. In the table, select the corresponding SSO connection.
4. Check the Enable SCIM user provisioning option.

When the option is activated, the following will appear at the bottom of the configuration window:

• SCIM endpoint
• Authentication token

warning

These details are confidential and should be stored securely.

info

In environments with sub-organizations, the SCIM integration must be defined in the "parent" tenant.

Configure SCIM in the identity manager

In the organization's identity manager, enter the SCIM endpoint and authentication token provided in Portal.

Example with Entra ID:

1. Go to Provisioning.

2. Enter the SCIM endpoint and authentication token.

3. Select the authentication method: Bearer token or Bearer Authentication.

4. Click Test connection to validate synchronization.

5. Activate provisioning.

   

From that moment, the identity manager will start syncing groups and users to Portal.

info

• If Okta is used as the identity provider:
  • The SCIM functionality has to be configured using the Custom SAML option, as Okta does not support SCIM when the connection is with OIDC.
  • When configuring the Custom SAML connection, the Application username format must be specified as Email, otherwise users will not be able to authenticate.

Create user groups in the identity manager

To integrate users via SCIM, it is essential to create groups in the identity manager.

Considerations

• Create groups specifically dedicated to Portal with clear and exclusive names (e.g. MiOrg-Portal-L2).
• When user groups are created or deleted in the identity manager, they will also be automatically created or deleted in Portal.
• Do not create nested groups.
• A user should belong to only one group; otherwise, unexpected behaviors may arise: in Portal a user cannot have more than one role.
• There cannot be users without an assigned group.
• Users belonging to a group that does not have a linked role will not be visible in the Users list.

When user groups are created in the identity manager, the SCIM Provisioning tab will automatically appear in the Organization menu of Portal.

Role mapping in Portal

In the SCIM Provisioning tab table, you can see the groups created in the identity manager. This happens because a one-way synchronization has been established from the identity manager to Portal.

To map roles:

1. Access Portal -> Organization.

2. In the menu, select the SCIM Provisioning tab.

3. Select a synchronized group from the table.

4. In the modal window, assign the corresponding role.

5. If an organization (tenant) has sub-organizations, choose which sub-organization that group belongs to before assigning it a role.

   

From the moment all groups are linked to a role, no further configurations will be needed. New users added or removed from groups in the identity manager will be automatically synchronized in Portal.

Considerations about roles

• Every synchronized group must have a role assigned to be visible and functional in Portal.

• The same role can be assigned to different groups.

• The role assigned to a group can be changed at any time by following the same steps used to assign the role.

• In the Users list, the Created by and Updated by columns will appear to identify users managed by SCIM.

  

Role synchronization

The synchronization frequency depends on the identity manager used (for example, Entra ID synchronizes every 40 minutes), although manual synchronization can be forced from the identity manager itself for tests or urgent changes without waiting for the automatic cycle.

To avoid relying on those intervals, Portal includes the Sync assigned roles button, which allows aligning user roles belonging to groups created with SCIM.

This action performs the following operations:

• Reviews all users belonging to groups created via SCIM.
• Checks if the role assigned to each user matches the role mapped for their group.
• If discrepancies are detected, it automatically updates the user's role.

If the role belongs to another sub-organization, the user will automatically move to the corresponding sub-organization.

At the end of the process, a detailed summary of the modified data is displayed.

info

It is not necessary to execute the Sync assigned roles action regularly. It is recommended to use it only when making a change to mapped roles.