Access and authentication
To access the Flexxible platform, users can authenticate using the following methods:
Authentication with a Microsoft Entra ID or Google account
For Flexxible's single sign-on (SSO) system to validate Microsoft or Google accounts and authorize access to the platform, an administrator needs to grant the following permissions:
- Microsoft Entra ID: enable the use of a Flexxible Enterprise Application in your tenant.
- Google: enable the use of a Flexxible OAuth Client ID in your tenant.
This procedure is common in third-party applications that delegate authentication to Microsoft Entra ID or Google. The tenant administrator can always check the data the application has access to, see which users have utilized it, or revoke consent. If it's revoked, users can no longer log in to Flexxible.
Depending on the organization's configuration and security policies, an administrator might need to authorize these accounts the first time they are used.
Enterprise Application Consent and Permissions in Entra ID
Access can be granted to individual users or groups. However, as explained earlier, there is an option to simplify the process: an administrator can grant organizational consent for using the Enterprise Application.
This consent automatically registers the Enterprise Application in the Azure tenant and allows the organization's users to log in to Flexxible using their corporate credentials. It's enough for the administrator to attempt to log in to the Portal for the first time to trigger the consent request.
If consent is configured manually, the Enterprise Application must include the following permissions:
| Permission | Caption |
|---|---|
| Directory.Read.All | Read directory data |
| View users' email addresses | |
| offline_access | Maintain access to data that has been granted access |
| openid | Log In |
| profile | View basic user profile |
| User.Read | Log in and read users' profiles |
Authentication with email and password
By default, all users of the Flexxible platform have the option to log in with a Microsoft Entra ID or Google account enabled.
Optionally, users with the Organization Administrator permission can enable login via email and password for other organization members. Thus, these users can choose between logging in with a Microsoft Entra ID, Google, or via email and password.
Login process
To log in to the Flexxible platform using email and password for the first time, you must follow these steps:
-
Enable access to email and password authentication for the user. This step must be done by an Organization Administrator.
-
Once enabled, the user will receive a welcome email with a link to create their password. The link is for one-time use only. If they can't log in with it, they can always authenticate with Microsoft Entra ID or Google.
-
Create a password; without it, they can't log in.
-
Set up two-factor authentication through an authentication app. The first time the user attempts to log in with email and password, the platform will prompt them to do so.
-
Log in.
Access to email and password authentication
To activate this method for users, an Organization Admin must first enable the option for email and password authentication at the organization level.
Then, the Organization Admin can enable access for the users within the organization. To do this, Flexxible offers the following options:
Enable access for a new user
-
Go to
Portal->Settings->Users. -
Click on
New. A form will open requesting the user's information. -
Check the
Enable email and password loginoption. -
In the form, click on
New.
You can find more information on how to create a user in Users.
Enable access for a batch of users
For this action, it's recommended to first export the user list to get the Excel file with the appropriate format:
-
Go to
Portal->Settings->Users->Export users. -
Open the Excel file. In the Email login enabled column, indicate which users will have access enabled: Y (enable) and N (disable).
-
Save the new file and return to the table with the user list:
Portal->Settings->Users -
Click on
Import users. Select the saved file.
- Click on
Import.
Enable access from the user table
-
Go to
Portal->Settings->Users. -
Select the users you want to enable access for.
-
In the top menu, click on
Email login actions->Enable email loginorDisable email login, as needed.
Reset the password from the user table
-
Go to
Portal->Settings->Users -
Select the users who will receive an email with the link to regenerate the password.
-
Select
Email login actions->Resend password reset email.
This option is only available for users who have email and password authentication enabled.
Authentication security settings
Flexxible allows managing security levels for email and password authentication, both at user and organization level.
User-level authentication security settings
From Portal -> User Profile -> Settings -> Authentication Security Settings, users can set up three two-factor authentication methods and configure their password.
Two-factor authentication
This security measure is available for users who log in using email and password, adding an extra layer of protection to the account.
Authentication Methods
For two-factor authentication, Portal allows enabling three methods:
Authentication app
An authentication app allows creating one-time verification codes. When this authentication method is enabled, upon logging into the platform, the user will be prompted to enter that verification code along with their usual password. For this, the user must first download an authentication app, such as Microsoft Authenticator, Google Authenticator, or any other preferred app.
To add this method, the user must click on Enable in the authentication security settings panel. Next, a modal window will display a QR code. When scanned, the user must enter the six-digit verification code provided by the authentication app into the designated field.
Next, a recovery code will be shown, which the user should save in case they ever need to log in and don't have access to the device where the authentication app is installed.
From then on, when logging in, the user will be prompted for the verification code in addition to the password.
When a user first logs into the platform using their email and password, they will be asked to set up this authentication method to enhance account security.
Verification Code and Recovery Code are not the same. The first is generated by the authentication app, the second is provided by Flexxible as a precautionary measure.
From the authentication security settings panel, the user can see the date and time a session was started using this method, as well as the date it was added as a two-factor security method.
Recovery code
When the use of the authentication app is enabled, Flexxible generates a recovery code for the user to save and use when they don't have access to the device where the authentication app is downloaded. The Recovery Code option allows regenerating this code if it is lost, to verify the user's identity when they wish to log in.
Email verification
If enabled, it allows verifying the user's identity through an email if they forget their password or don't have access to other identification methods.
To enable this option, the user must click on Enable in the authentication security settings panel. From there, the user can also see the date and time of the last time the method was used, as well as the last time it was added as a two-factor security method.
Reset two-factor authentication
Allows resetting the two-factor authentication methods when a user loses access to the devices that enabled their identification. By pressing Regenerate, the two-factor authentication methods are disabled.
The user can enable them directly from the same security settings panel. Or by logging out and then logging back into the platform.
It also provides information about the date and time the two-factor authentication was last reset.
Password
From the same panel, the user can request the reset of their password. You must press the Resend password reset email button to receive an email with instructions.
It also provides information about the last time the password was changed, the last login, and the last IP address from which they connected.
Authentication security settings at the organization level
An Organization Administrator can enable or disable the option to log in via email and password for users of the organization and its suborganizations. The functionality can only be enabled or disabled from the main organization if suborganizations are available.
To do this, from the Portal, you must go to Settings -> Organization. And in the left side menu, you must click on the Authentication tab.
Enable or disable the email and password authentication option at the organization level
The Enable email and password authentication or Disable email and password authentication button, depending on the case, allows enabling or disabling the login option with email and password for users who are members of an organization or suborganization.
If this option is disabled, users will not be able to log in with email and password or manage their account. All user credentials will be deleted. If this feature is re-enabled, users will need to reset their password and two-factor authentication again.
User table
The user table in the Authentication tab shows the list of organization members. At a glance, you can see which members have the option to log in via email and password enabled.
User authentication detail
By clicking on a user's name in the table, you can access cards with specific information about the authentication method they have enabled:
-
Microsoft Entra ID: Position, Phone, Last login, Login count, and Last IP address
-
Google: Last login, Login count, and Last IP address
-
Email and password authentication: Last login, Login count, and Last IP address. Additionally, from here, the administrator can manage the Authentication security settings for that specific user, which includes Two-factor authentication and Password.
When a user who has never logged into the Flexxible platform is selected, an informative notice is displayed.