Administration Guide
Authentication Reference
This reference specifies the authentication surfaces of an AlloyScan site: sign-in methods, SSO provider configuration, and App registration fields.
Scope
Per-site, except where the row is explicitly marked instance-scope.
Sign-in methods
| Method | Status | Notes |
|---|---|---|
| Email and password | Always available | AlloyScan-native, authenticated against IdentityServer. Account must be Active. |
| Microsoft SSO | Built-in; instance-allowed, site-enabled | A Global Administrator allows or blocks the provider in Admin Center > App management > IAM > SSO providers. A Site Administrator can then enable the allowed provider in Admin Center > Site Settings > IAM > SSO providers. |
| Google SSO | Built-in; instance-allowed, site-enabled | A Global Administrator allows or blocks the provider in Admin Center > App management > IAM > SSO providers. A Site Administrator can then enable the allowed provider in Admin Center > Site Settings > IAM > SSO providers. |
| Other SSO (SAML, Okta, Facebook, etc.) | Not supported | Not present in the SSO providers page. |
| Native multi-factor authentication | Not provided | If the SSO provider enforces MFA, provider-side MFA applies. |
| App registration (REST API, machine-to-machine) | Always available | Configured under Admin Center > Site Settings > IAM > App registrations. |
SSO provider configuration
SSO is controlled at two levels:
- Global SSO providers at Admin Center > App management > IAM > SSO providers. This is the instance-level allow list for the built-in Microsoft and Google providers. Opening a provider shows a read-only view of the provider details.
- Site SSO providers at Admin Center > Site Settings > IAM > SSO providers. This page shows toggles only for providers that the instance has allowed. Site Administrators can turn those allowed providers on or off for the current Site.
Global Microsoft provider view
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Enabled | Toggle | On / Off | Off | Global allow switch for the built-in provider. |
| Name | String | Microsoft | Microsoft | Read-only. |
| Authority | String | Microsoft identity endpoint | System-provided | Read-only. |
| Tenant | String | Microsoft tenant ID | System-provided | Read-only. |
| Client ID | String | Microsoft client ID | System-provided | Read-only. |
| Client secret | String, masked | Provider secret | System-provided | Read-only. |
| Redirect URI | String, system-presented | AlloyScan callback URL | System-provided | Read-only. |
Global Google provider view
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Enabled | Toggle | On / Off | Off | Global allow switch for the built-in provider. |
| Name | String | Read-only. | ||
| Client ID | String | Google OAuth 2.0 Client ID | System-provided | Read-only. |
| Client secret | String, masked | Google OAuth 2.0 Client secret | System-provided | Read-only. |
| Redirect URI | String, system-presented | AlloyScan callback URL | System-provided | Read-only. |
Site SSO providers
At the site level, the page shows toggles only for providers that were allowed globally.
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Microsoft | Toggle | On / Off | Off | When On, a Sign in with Microsoft button appears on the site sign-in page. |
| Toggle | On / Off | Off | When On, a Sign in with Google button appears on the site sign-in page. |
Constraints (SSO)
- Site Administrators can only enable providers that a Global Administrator has already allowed on the instance.
- A successful SSO sign-in still requires that the authenticated email match an Active record in Admin Center > Site Settings > IAM > Users.
- Multi-factor authentication is enforced by the SSO provider, not by AlloyScan.
- Successful and failed SSO sign-ins are recorded in Admin Center > Site Settings > Logs > Security log.
App registration
Configured at Admin Center > Site Settings > IAM > App registrations.
Fields
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Name | String, free text | — | — | Display name of the registration. Required. |
| Client ID | String, system-generated | 20 characters | — | Identifier the API client presents during authentication. Read-only. |
| Client secret | String, system-generated | — | — | Secret the API client presents alongside the Client ID. Shown once at creation. |
| Expiration date | Date | — | — | Date after which the registration stops being accepted. Required. |
| Enabled | Toggle | Yes / No | Yes | When No, API requests using this registration are rejected. |
| Registration date | Date, system | — | — | Date the registration was created. Read-only. |
| Last used | Date, system | — | — | Most recent successful authentication with the Client ID. Read-only. |
Constraints (App registrations)
- App registrations grant API access only. They are not used to sign in to the AlloyScan UI.
- An App registration has no role assignment. Permissions follow the REST API surface it calls.
- Notification templates fire at 30 days before expiration, 7 days before expiration, and on expiry, in the Administrative category.
- An expired registration produces a persistent "API client alert" red banner on every page until it is renewed or disabled.
States
| State | Trigger | User-visible effect |
|---|---|---|
| Active | Created with a future expiration date and Enabled = Yes | Authenticates and authorises API calls. |
| Expiring (30 days) | 30 days before Expiration date | Administrative notification template fires. |
| Expiring (7 days) | 7 days before Expiration date | Administrative notification template fires. |
| Expired | Expiration date has passed | API calls are rejected; persistent red banner shows on every page. |
| Disabled | Enabled toggled to No | API calls are rejected; banner does not fire from disable alone. |
Account lifecycle
| State | Set at | Effect |
|---|---|---|
| Active = Yes | IAM > Users by an Administrator | The account can sign in via email and password or SSO. |
| Active = No | IAM > Users by an Administrator | The account cannot sign in by any method. |
| Verified | Self-confirmed | Shown as a green Verified badge under Manage your account > General. |