> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexxible.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Access and authentication

To access the Flexxible platform, users can authenticate using the following methods:

* Authentication with a Microsoft Entra ID or Google account
* Authentication with email and password
* Authentication with SAML

## Authentication with a Microsoft Entra ID or Google account

For the Flexxible single sign-on (SSO) system to validate Microsoft or Google accounts and authorize access to the platform, an administrator must grant the following permissions:

* **Microsoft Entra ID.** Enable the use of a Flexxible Enterprise Application in their tenant.
* **Google.** Enable the use of a Flexxible OAuth Client ID in their tenant.

This procedure is common in third-party applications that delegate authentication to Microsoft Entra ID or Google. The tenant administrator can review at any time the data the application has access to, review which users have used it, or revoke consent. If it is revoked, users will no longer be able to sign in to Flexxible.

Depending on the organization's configuration and security policies, an administrator may need to authorize these accounts the first time they are used.

### Enterprise Application consent and permissions in Entra ID

Access can be granted to individual users or to groups. However, as explained above, there is an option to simplify the process: have an administrator grant organizational consent for the use of the Enterprise Application.

This consent will automatically register the Enterprise Application in the Azure tenant and will allow the organization's users to sign in to Flexxible with their corporate credentials. All the administrator needs to do is try to sign in to the Flexxible platform for the first time in order to trigger the consent request.

<img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/adminapob.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=09fe2b3fa8a2f6d0a1e4e44d96bc9d2d" alt="adminapob" width="337" height="450" data-path="images/platform/adminapob.png" />

If consent is configured manually, the Enterprise Application must include the following permissions:

| Permission         | Description                                               |
| ------------------ | --------------------------------------------------------- |
| Directory.Read.All | Read directory data                                       |
| email              | View users' email addresses                               |
| offline\_access    | Maintain access to the data you have been given access to |
| openid             | Sign in                                                   |
| profile            | View users' basic profile                                 |
| User.Read          | Sign in and read users' profiles                          |

## Authentication with email and password

By default, all Flexxible platform users have the option to sign in with a Microsoft Entra ID or Google account enabled.

Optionally, users with the *Organization Administrator* permission can enable sign-in via email and password for other members of the organization. Users will then be able to choose how they want to sign in.

<img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/login.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=fbc390e7d0f77d93cec213ce1cae9eb7" alt="login" width="325" height="400" data-path="images/platform/login.png" />

### Sign-in process

To sign in to the Flexxible platform using email and password for the first time, follow these steps:

1. Enable **access to email and password authentication** for the user. This step must be performed by an Organization Administrator.

2. Once enabled, the user will receive a welcome email with a link to create their password. The link is single-use. If they cannot sign in with it, they can always authenticate with Microsoft Entra ID or Google.

3. Create a password; without one, they will not be able to sign in.

4. Set up two-factor authentication through an **authentication application**. The first time the user tries to sign in with email and password, the platform will ask them to do so.

5. Sign in.

### Access to email and password authentication

To enable this method for users, an Organization Administrator must have first enabled the email and password authentication option at the organization level.

An Organization Administrator can then enable access for the users that make up the organization. To do this, Flexxible offers the following options:

* Enable access for a new user
* Enable access for a batch of users
* Enable access from the user table

### Enable access for a new user

1. Go to **Settings** → **Users**.
2. Click **New**. A form will open requesting the user's information.
3. Check the **Enable email/password sign-in** option.
4. In the form, click **New**.

<Tip>
  You can find more information about how to create a user in [Users](../features/administration/users).
</Tip>

<img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/enabled-login-password.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=02fe4d0e9844bb8ae5aaec5a39e498a9" alt="enabled-login-password" width="999" height="449" data-path="images/platform/enabled-login-password.png" />

### Enable access for a batch of users

To perform this action, we first recommend exporting the user list to get the Excel file with the correct format:

1. Go to **Settings** → **Users** → **Export users**.

2. Open the Excel file. In the **Email login enabled** column, indicate which users will be granted access: **Y** (enables) and **N** (disables).

   <img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/login-excel.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=3ed53a84974defdd63412186329da108" alt="login-excel" width="701" height="173" data-path="images/platform/login-excel.png" />

3. Save the new file and return to the user list table:

   **Settings** → **Users**.

4. Click **Import users**. Select the saved file.

5. Click **Import**.

   <img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/import-users-login.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=be94d84dca19580f9602835f1021d573" alt="import-users-login" width="415" height="149" data-path="images/platform/import-users-login.png" />

### Enable access from the user table

1. Go to **Settings** → **Users**.

2. Select the users you want to enable access for.

3. In the top menu, click **Email sign-in actions** → **Enable email sign-in** or **Disable email sign-in**, as appropriate.

   <img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/login-passw-user-table.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=6258674875419067dc9054d56c812e9c" alt="login-passw-user-table" width="1000" height="423" data-path="images/platform/login-passw-user-table.png" />

#### Reset password from the user table

1. Go to **Settings** → **Users**.

2. Select the users to whom an email with the link to generate a new password will be sent.

3. Select **Email sign-in actions`→`Resend password reset email**.

   <img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/resend-passw.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=58eed4a6e464f0de4f1a3febc7463b18" alt="resend-passw" width="809" height="460" data-path="images/platform/resend-passw.png" />

>

<img src="https://mintcdn.com/flexxible/bM882aw8U2s-CYPO/images/platform/resend-message.png?fit=max&auto=format&n=bM882aw8U2s-CYPO&q=85&s=33a34c9bfe759486f16af7669d13ab49" alt="resend-message" width="279" height="186" data-path="images/platform/resend-message.png" />

<Info>
  This option is only available for users who have email and password authentication enabled.
</Info>

### Authentication security settings

Flexxible lets you manage the security levels for email and password authentication, both at the user level and at the organization level.

### Authentication security settings at the user level

From **User profile** → **Settings** → **Authentication security settings**, users can set up three two-factor authentication methods and configure their password.

#### Two-factor authentication

This security measure is available for users who sign in via email and password, adding an extra layer of protection to the account.

**Authentication methods**

For two-factor authentication, the platform allows three methods to be enabled:

* Authentication application
* Recovery code
* Email verification

#### Authentication application

An authentication application generates single-use verification codes. When this authentication method is enabled, when signing in to the platform, the user will be asked to enter that verification code along with their usual password. To do so, they must first download an authentication app, such as Microsoft Authenticator, Google Authenticator, or any other they prefer.

To add this method, the user must click **Enable** in the authentication security settings panel. A modal window will show a QR code. Once scanned, the user must enter, in the reserved field, the six-digit verification code provided by the authentication application.

A recovery code will then be shown, which the user must save to use if they ever need to sign in and do not have access to the device where the authentication app is installed.

From then on, when signing in, the user will be prompted for the verification code in addition to their password.

When a user signs in to the platform for the first time using their email and password, they will be asked to set up this authentication method to raise the security level of their account.

<Info>
  **Verification code** and **Recovery code** are not the same. The first is generated by the authentication application, and the second is provided by Flexxible as a precaution.
</Info>

From the authentication security settings panel, the user can view the date and time when they signed in using this method, as well as the date it was added as a two-factor security method.

#### Recovery code

When the use of the authentication app is enabled, Flexxible generates a recovery code for the user to save and use when they do not have access to the device where the authentication app is installed. The **Recovery code** option lets you regenerate that code if it has been lost, to verify the user's identity when they want to sign in.

#### Email verification

If enabled, this allows the user's identity to be verified by email if they forget their password or do not have the other methods to identify themselves.

To enable this option, the user must click **Enable** in the authentication security settings panel. From there, the user can also see the date and time when the method was last used, as well as the last time it was added as a two-factor security method.

**Reset two-factor authentication**

Lets you reset the two-factor authentication methods when a user loses access to the devices that let them identify themselves. When you click **Regenerate**, the two-factor authentication methods are disabled.

The user can enable them directly from the same security settings panel, or by signing out and signing back into the platform.

It also reports the date and time when two-factor authentication was last reset.

#### Password

From the same panel, the user can request their password to be reset.  They must press the **Resend password reset email** button to receive an email with instructions.

It also reports the last time the password was changed, the last sign-in, and the last IP address from which they connected.

### Authentication security settings at the organization level

An Organization Administrator can enable or disable the option to sign in via email and password for users in the organization and its suborganizations. The feature can only be enabled or disabled from the main organization if there are suborganizations.

To do so, go to **Settings** → **Organization.** In the left-hand side menu, click the **Authentication** tab.

#### Enable or disable the email and password authentication option at the organization level

The **Enable email/password authentication** or **Disable email/password authentication** button, as appropriate, lets you enable or disable the ability to activate email and password sign-in for users who are members of an organization or suborganization.

<Warning>
  If this option is disabled, users will not be able to sign in with email and password or manage their account. All user credentials will be deleted. If this feature is re-enabled, users will need to reset their password and two-factor authentication again.
</Warning>

### User table

The user table on the **Authentication** tab shows the list of members of the organization. At a glance, from here you can see which members have the option to sign in via email and password enabled.

### User authentication detail

If you click a user's name in the table, you can access cards with specific information about the authentication method that is enabled:

* **Microsoft Entra ID.** *Job title*, *Phone*, *Last sign-in*, *Sign-in count*, and *Last IP address*

* **Google.** *Last sign-in*, *Sign-in count*, and *Last IP address*

* **Email and password authentication.** *Last sign-in*, *Sign-in count*, and *Last IP address*. In addition, from here the administrator can manage the **Authentication security settings** for that specific user, which include **Two-factor authentication** and **Password**.

## Authentication with SAML

Security Assertion Markup Language (SAML) is a single sign-on (SSO) technology that lets organizations connect their identity providers (Okta, Entra ID, and others) with the Flexxible platform, delegating the authentication process to it.

To set up sign-in with this method, adjustments must be made related to recognizing the organization's domain and integrating with the identity provider used.

### Domains

From this tab, an Organization Administrator can register and verify the domains that will be used. They can also access the table with the list of domains and view its detail view.

The table shows the following information:

* **Domain name.** Web address registered by the organization.
* **Status.** **Verified** or **Unverified**.
* **Created on.** Date and time the domain was created.
* **Created by.** User who registered the domain.

### Create a domain

To configure a domain, it must first be registered and then verified.

1. Go to **Organization** → **Domains**.
2. Click **Create domain**.
3. Enter the organization's domain (corresponding to the email of the users who will sign in with SAML).
4. Click **New**.

The domain will be added to the table with the **Unverified** status.

### Verify the domain

1. In the Domains table, select the registered domain.
2. A window will be displayed with instructions to add a TXT record in the DNS, which is required to verify ownership.
3. Click **Verify now** to complete the process.

### Create an SSO connection

Creating an SSO connection allows users with email addresses from specific domains to authenticate through the organization's identity provider.

1. Go to **Organization** → **SSO integrations**.
2. Click **Create connection** and follow the instructions in the wizard, which will guide the Organization Administrator in configuring and testing based on the identity provider used.

The available identity providers are:

* Okta
* Entra ID
* Custom SAML

For each case, a wizard is available to guide you step by step through the specific configuration within the selected identity provider.

<Tip>
  Some of the data requested during configuration may have different names depending on the identity provider. For example, in Custom SAML:

  * The `Single Sign-On URL` field may appear in the identity provider as `Reply URL (Assertion Consumer Service URL)`.
  * The `Service Provider Entity ID` field may be called `Identifier (Entity ID)`.
</Tip>

<Note>
  If any doubts come up during the configuration process, please contact your Flexxible representative.
</Note>

Once the process is complete, users from the associated domains will be able to sign in by entering their email in the corresponding field and clicking **Continue with email**.

If the system recognizes the domain as SSO-enabled, it will redirect the user to the organization's identity provider to authenticate.

### Edit an SSO connection

The platform lets you edit an existing SSO connection, either to update the configuration or to renew the certificate if it has expired.

1. Go to **Organization** → **SSO integrations**.
2. Select a record in the table.
3. Click **Edit connection**.

Selecting the **Enable SCIM user provisioning** checkbox is optional. More information in **SCIM user provisioning**.

### Delete a domain

1. Go to **Organization** → **Domains**.
2. In the table, select the domain you want to delete.
3. In the detail window, click **Delete**.

When you delete a domain, its associated users will no longer be able to authenticate via SAML until it is registered again.

### Delete an SSO connection

1. Go to **Organization** → **SSO integrations**.
2. Select the corresponding record in the table.

## SCIM provisioning

System for Cross-domain Identity Management (SCIM) is a user provisioning and management standard that complements SAML authentication. It is optional, and its purpose is to automate the creation, updating, and deletion of user accounts on the Flexxible platform, keeping information synchronized between the organization's identity provider (Okta, Entra ID, etc.) and the platform.

When SCIM is enabled, the identity provider can send the platform basic user information (name, email, group), which makes it easier to manage onboarding and offboarding. This way, the user's lifecycle is controlled centrally from the identity provider.

### Enable SCIM

To use SCIM, you must have previously configured SAML authentication:

1. Go to **Organization** → **SSO integrations**.
2. In the table, select the corresponding SSO connection.
3. Check the **Enable SCIM user provisioning** option.

When enabling the option, the following will appear at the bottom of the configuration window:

* SCIM endpoint
* Authentication token

<Warning>
  This data is confidential and must be stored securely.
</Warning>

<Info>
  In environments with suborganizations, the SCIM integration must be defined in the parent tenant.
</Info>

### Configure SCIM in the identity provider

In the organization's identity provider, enter the SCIM endpoint and the authentication token provided.

Example with Entra ID:

1. Go to **Provisioning**.
2. Enter the SCIM endpoint and the authentication token.
3. Select the authentication method: **Bearer token** or **Bearer Authentication**.
4. Click **Test connection** to validate the synchronization.
5. Activate provisioning.

From that moment on, the identity provider will start synchronizing groups and users to the platform.

<Info>
  * If **Okta** is used as the identity provider:
    * SCIM functionality must be configured using the Custom SAML option, since Okta does not support SCIM when the connection uses OIDC.
    * When configuring the Custom SAML connection, the **Application username format** must be set to **Email**; otherwise, users will not be able to authenticate.
</Info>

### Create user groups in the identity provider

To integrate users via SCIM, you need to create groups in the identity provider.

#### Considerations

* Create specifically dedicated groups with clear, unique names (e.g., `MyOrg-Portal-L2`).
* When user groups are created or deleted in the identity provider, they are also automatically created or deleted on the platform.
* Do not create nested groups.
* **A user must belong to only one group**; otherwise, unexpected behavior may occur: on the platform, a user cannot have more than one role.
* There cannot be users without an assigned group.
* Users who belong to a group that does not have a linked role will not be visible in the [Users](../features/administration/roles) list.

When user groups are created in the identity provider, the **SCIM provisioning** tab will automatically appear in the **Organization** menu.

### Role mappingl

In the table on the **SCIM provisioning** tab, you can see the groups created in the identity provider. This happens because one-way synchronization has been established, from the identity provider to the platform.

To map roles:

1. Go to **Organization** → **SCIM provisioning**.
2. Select a synchronized group from the table.
3. In the modal window, assign the corresponding role.
4. If an organization (tenant) has suborganizations, choose which suborganization that group belongs to before assigning it a role.

From the moment all groups are linked to a role, no further configuration is required. New users added to or removed from groups in the identity provider will be synchronized automatically on the platform.

#### Considerations about roles

* Every synchronized group must have a role assigned so its users are visible and functional.
* The same role can be assigned to different groups.
* The role assigned to a group can be modified at any time by following the same steps used to assign the role.
* In the [Users](../features/administration/users) list, you will see the *Created by* and *Updated by* columns to identify users managed by SCIM.

### Role synchronization

The synchronization frequency depends on the identity provider used (for example, Entra ID synchronizes every 40 minutes), although it is possible to force a manual synchronization from the identity provider itself for testing purposes or urgent changes without waiting for the automatic cycle.

To avoid depending on those intervals, the platform includes the **Sync assigned roles** button, which lets you align the roles of users belonging to groups created with SCIM.

This action performs the following operations:

* Reviews all users belonging to groups created via SCIM.
* Checks whether the role assigned to each user matches the role mapped for their group.
* If it detects discrepancies, it automatically updates the user's role.

If the role belongs to another suborganization, the user will be automatically moved to the corresponding suborganization.

When the process is complete, a detailed summary of the modified data is shown.
