Login Flows & User Registration in BSS
This page explains the login and registration flows when you have activated mixed mode (i.e., local login and external identity provider) or only one or more external identity providers. We will analyze in detail the available flows in conjunction with the user registration options of your BSS, concerning the BSS Alias Login page.
Enabling or Disabling the BSS’s Native (local) Login Method
From the moment that an external identity provider has been configured and is available in your BSS, you can choose whether you will offer the local login method to your BSS users or not.
You can disable BSS’s local login, from the BSS Alias Login page, by navigating to BSS Setup > Administration > System Options > Authentication Options > BSS Options. The default option is set to “Yes”, meaning that the local login is available.
Allow Local Login: Yes → While the BSS Local Login is active, it includes both the Username & Password section along with any enabled and visible external identity providers.
Allow Local Login: No → While the BSS Local Login is inactive, it includes only the enabled and visible external identity providers.
If the Local Login was disabled and then re-enabled, the existing BSS users can re-activate their Local Login connection via the Login Options page in BSS Setup.
Password Reset for Native (local) Login BSS User
The reset password option, found under the credential fields of the BSS login page, is available only for the native (local) login option.
Upon clicking on the Forgot Password hyperlink, the BSS user is prompted to enter their organization ID and their username, where the reset password email will be dispatched. The following email template is the new one, and is aligned with the latest IT security implementations.
Once the Get Password link is clicked, the BSS user is redirected to the Reset Password page, where they can enter their new password.
Login Flows
#1 Mixed Mode
If the “Allow Local Login“ option is enabled and one or more external authentication providers are also activated and visible, the BSS’s Alias Login page will display both login options.
In this scenario, some BSS users can log in using their local credentials, and other users can use an external provider. The BSS user will be directed to the external provider’s login page when pressing the external provider button.
#2 - Local Login is Disabled and only one External Provider is Active
If the “Allow Local Login“ option is disabled and only one external authentication provider is activated and visible, then the BSS’s Alias Login page will direct the BSS user directly to the login page of the external identity provider.
In this scenario, the BSS users must either provide their external provider credentials to the respective page if they sign in for the first time or pick up one of the available accounts from a list if they sign in afterwards.
#3 - Local Login is Disabled and two or more External Providers are Active
If the “Allow Local Login“ option is disabled, but two or more external authentication providers are activated and visible, then the BSS’s Alias Login page will display only the external authenticators' login options.
In this scenario, the BSS users can only log in using one of the available external providers.
#4 - Local Login is Enabled and External Providers are Deactivated or Hidden
If the “Allow Local Login“ option is enabled and all external authentication providers are deactivated or hidden, the BSS’s Alias Login page will display only the local login option.
In this scenario, the BSS users can only log in using their local login credentials. However, if the Two-Factor Authentication (2FA) mechanism is enabled, then the BSS users will also have to go through the 2FA authentication process after they submit their local login credentials correctly.
For more information about the Two-Factor Authentication (2FA) mechanism in BSS, please continue to the Local Login in BSS With Two Factor Authentication (2FA) page.
Registering & Activating a New User
Since automatic user registration is not available in BSS, the administrator needs to create new users.
By navigating to BSS Setup > Administration > Users > Users List and clicking on the Add button, the “Add New User” page is displayed.
- Please note that if the “Local Login” option is deactivated, the fields Password & Confirm Password, which refer to the local login credentials, will no longer be displayed.
However, the administrator can create the new BSS user by filling in all the necessary information under the Personal Data section of the form, and upon clicking the Save button for the first time, the following actions will be performed:
A pop-up message appears based on the status of the “Local Login” option:
Local Login - enabled: “A local login activation link has been sent to the user <name of user>”.
Local Login - disabled: “An external provider login activation link has been sent to the user <name of user>”.
An email is dispatched to the defined email address in the “Personal Data” section, containing the Activation Link for the BSS user’s account.
The status of the new user becomes “Pending Activation”.
A button named “Send Activation Link” is displayed on top of the new user’s profile form, that is used for re-dispatching the activation email.
These actions are performed while the “Save” button is clicked and only during the user’s creation. After the creation of the user, the “Send Activation Link” button will perform these aforementioned actions, as long as the status of the user is “Pending Activation” (For more information concerning the users' statuses please proceed to this page’s last section).
The local login credentials from the registration, such as the user name and the Alias login URL, are communicated to the user via email. However, the password is created from the user upon its first log-in attempt after they Activate their Account and once they click on the log-in link. Consequently, the Activation Email that is dispatched to the new BSS user looks like this:
After the user has activated their account and clicked on the BSS log-in link, found inside the Activation Email, three possible scenarios can occur:
Local Login Option Enabled: Users are redirected to the BSS Activate account page, where they are prompted to create their local login password.
Once the user has created their password by clicking on the “Activate Account” button, a “Login Now” link appears on the screen.
Upon clicking on it, it will redirect the user to:
Either the BSS Alias login page if the Alias was previously defined.
Or the original/legacy BSS login page if the Alias was not previously defined.
Local Login Option Disabled & One External Identity Provider Active and Visible: Users are redirected directly to the External Identity Provider’s Login page, where they are prompted to fill in their respective login credentials and consequently activate their BSS user account.
Once the user has logged in to the only available External Identity Provider, their user account is concidered activated and they are redirected to the BSS Dashboard page.
Local Login Option Disabled & Two or More External Identity Provider Active and Visible: Users are redirected to the BSS Alias login page, where they can choose one of the two available External Identity Providers in order to log in with their respective credentials and consequently activate their BSS user account.
Once the user has logged in with their prefered External Identity Provider, their user account is concidered activated and they are redirected to the BSS Dashboard page.
After the successful activation of the BSS user account, the status of the user becomes “Active”. Also, the “Send Activation Link“ button, from the user’s profile form, is removed, since the activation of the user’s account has been completed.
User’s List Statuses & Login Options
Two new informative columns are introduced inside the Users List, found under BSS Setup > Administration > Users > Users List. The first column named “Login Options“ displays the login options that each user has enabled and connected to his BSS user account, whereas the second column named “Status” displays whether the user’s account is “Active“ or “Pending Activation“.
Single Logout Flow OIDC
With the support of Single Logout, the BSS users can sign out of both their BSS session and their configured external identity provider application with a single action when they have signed in using an external identity provider that supports the OpenID Connect (OIDC) standard.
Single Logout Rules
At least one OIDC external identity provider has been enabled and is visible on the BSS login page.
The BSS user has connected their account to at least one of those enabled and visible OIDC external identity providers.
When the BSS users log in using an external identity provider account, consequently they are logged in to the relevant application (e.g. Azure). When those users click on the Logout button, the following pop-up window appears, informing them of their log-out options.
By selecting:
Locally: The users log out of the BSS, while their session on the external identity provider application remains active.
Globally: The users log out of both the BSS and the external identity provider application. This means that after closing the browser window of the application, if they re-open it, the application will redirect them to the external identity provider’s log-in page to re-enter their credentials, so as to log in to the BSS platform.
If users have been idle and they are automatically logged out, this logout is considered local and does not affect their connection with the application of the external identity provider.