When a users logs in to their account in Appraisd, they must be authenticated and authorised. This page outlines the process that's involved and what options there are for clients.
Users can log in to Appraisd using several means:
- Email address and password
- Single Sign On from a pre-configured SAML2.0 identity provider
- Log in with Google button
- Log in with Microsoft button
- Log in with Slack button
The three "Log in with..." buttons use proprietary code from Google, Microsoft and Slack. These mechanisms make use of the standard and trusted identity endpoints from those vendors. These buttons cannot be disabled for an individual client.
Email address and password
Each user in Appraisd has a unique email address. This, combined, with a password, can be used to authenticate the user. Once authenticated, the user's roles are determined from the database: User, Administrator and/or Moderator. These roles are set by other administrators and is covered elsewhere in the documentation.
When user is first added to Appraisd, they are not assigned a password. Instead, they must use the registration procedure to create their own password that complies with the account's password policy.
The user's password must comply with the account's password policy. As a client of Appraisd, you can determine the appropriate policy for your users (subject to certain minimums enforced as part of our ISO27001 standard). You can set the policy in your Configuration area. You can determine the following:
- Password history - prevent password reuse
- Minimum length
- Whether a non-letter or digit is required
- Whether lowercase and uppercase characters are required
- Whether a digit is required
- Whether moderators are allowed to set passwords for people they moderate
You can also set a maximum number of login attempts before the account is locked. The account can be unlocked by resetting the password.
Reset a password
The user can reset their own password by requesting a reset link to be sent to their email address. When they click the link, the user is taken to a page where they can enter and confirm a new password that complies with the account's password policy.
Administrators can also send password reset links on behalf of the user, but only the user with access to the email address may go on to set a new password using this process.
Single Sign On via SAML2.0 (SSO)
Appraisd uses the SAML2.0 protocol to enable single sign on from an approved identity provider. Documentation on this process is available within these pages. Users are authenticated according to a unique ID/username or email address.
When SSO is enabled, email and password login is typically disabled. However it is possible to allow both means of authorisation if desired.
Multi-factor authentication (MFA or 2FA)
Appraisd does not provide its own MFA support because this is typically provided by the client as part of their SSO authentication process. In other words, if you log in to Appraisd using your Azure AD SSO configuration, you should configure your Azure AD to conduct the MFA test prior to sending the SAML response to Appraisd.
Some large organisations are only able to provide SSO for a subset of users, so it's possible in Appraisd to specify the means of authentication (username/password vs SSO) down to user level.