Administration Guide
Authentication Reference
This reference specifies the authentication surfaces of an AlloyScan site: sign-in methods, SSO provider configuration, App registration fields, and deployment-level availability for the SSO menu.
Scope
Per-site, except where the row is explicitly marked instance-scope.
Sign-in methods
| Method | Status | Notes |
|---|---|---|
| Email and password | Always available | AlloyScan-native, authenticated against IdentityServer. Account must be Active. |
| Microsoft SSO | Configurable per site | Enabled via Admin Center > Site Settings > IAM > SSO providers when the SSO providers surface is available for the deployment. |
| Google SSO | Configurable per site | Enabled via Admin Center > Site Settings > IAM > SSO providers when the SSO providers surface is available for the deployment. |
| Other SSO (SAML, Okta, Facebook, etc.) | Not supported | Not present in the SSO providers page. |
| Native multi-factor authentication | Not provided | If the SSO provider enforces MFA, provider-side MFA applies. |
| App registration (REST API, machine-to-machine) | Always available | Configured under Admin Center > Site Settings > IAM > App registrations. |
Note: Details may vary by deployment.
SSO provider configuration
Configured at Admin Center > Site Settings > IAM > SSO providers.
Microsoft provider — fields
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Enabled | Toggle | On / Off | Off | When On, a Sign in with Microsoft button appears on the site sign-in page. |
| Application (client) ID | String | Microsoft Entra Application ID | — | The client ID issued by the Microsoft Entra App registration. |
| Tenant ID | String | Microsoft Entra Directory ID | — | The directory the App registration belongs to. |
| Client secret | String, masked | Microsoft Entra client secret value | — | Generated under Certificates & secrets in Microsoft Entra. Has a provider-side expiry. |
| Redirect URI | String, system-presented | AlloyScan callback URL | — | Must be registered as the Web redirect URI on the Microsoft App registration. |
Google provider — fields
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Enabled | Toggle | On / Off | Off | When On, a Sign in with Google button appears on the site sign-in page. |
| Client ID | String | Google OAuth 2.0 Client ID | — | Issued by the Google Cloud OAuth client of type Web application. |
| Client secret | String, masked | Google OAuth 2.0 Client secret | — | Issued together with the Client ID. |
| Redirect URI | String, system-presented | AlloyScan callback URL | — | Must be in the OAuth client's Authorized redirect URIs list. |
Constraints (SSO)
- The SSO providers menu entry can be hidden by deployment-level configuration. This is not configurable from the site Admin Center.
- A successful SSO sign-in still requires that the authenticated email match an Active record in Admin Center > Site Settings > IAM > Users.
- Multi-factor authentication is enforced by the SSO provider, not by AlloyScan.
- Successful and failed SSO sign-ins are recorded in Admin Center > Site Settings > Logs > Security log.
App registration
Configured at Admin Center > Site Settings > IAM > App registrations.
Fields
| Field | Type | Values | Default | Description |
|---|---|---|---|---|
| Name | String, free text | — | — | Display name of the registration. Required. |
| Client ID | String, system-generated | 20 characters | — | Identifier the API client presents during authentication. Read-only. |
| Client secret | String, system-generated | — | — | Secret the API client presents alongside the Client ID. Shown once at creation. |
| Expiration date | Date | — | — | Date after which the registration stops being accepted. Required. |
| Enabled | Toggle | Yes / No | Yes | When No, API requests using this registration are rejected. |
| Registration date | Date, system | — | — | Date the registration was created. Read-only. |
| Last used | Date, system | — | — | Most recent successful authentication with the Client ID. Read-only. |
Constraints (App registrations)
- App registrations grant API access only. They are not used to sign in to the AlloyScan UI.
- An App registration has no role assignment. Permissions follow the REST API surface it calls.
- Notification templates fire at 30 days before expiration, 7 days before expiration, and on expiry, in the Administrative category.
- An expired registration produces a persistent "API client alert" red banner on every page until it is renewed or disabled.
States
| State | Trigger | User-visible effect |
|---|---|---|
| Active | Created with a future expiration date and Enabled = Yes | Authenticates and authorises API calls. |
| Expiring (30 days) | 30 days before Expiration date | Administrative notification template fires. |
| Expiring (7 days) | 7 days before Expiration date | Administrative notification template fires. |
| Expired | Expiration date has passed | API calls are rejected; persistent red banner shows on every page. |
| Disabled | Enabled toggled to No | API calls are rejected; banner does not fire from disable alone. |
Deployment-level availability
Some Admin Center surfaces are enabled at the deployment level. They are not configurable from the site Admin Center.
| Surface | Availability | Effect when unavailable |
|---|---|---|
| SSO providers | Deployment-defined | SSO providers menu entry is hidden for every site on the instance. |
| Security log | Deployment-defined | Security log menu entry is hidden. |
| Change log | Deployment-defined | Change log menu entry is hidden. |
Note: When one of these menu entries is missing, this can be a deployment-level availability setting rather than a per-site role problem.
Account lifecycle
| State | Set at | Effect |
|---|---|---|
| Active = Yes | IAM > Users by an Administrator | The account can sign in via email and password or SSO. |
| Active = No | IAM > Users by an Administrator | The account cannot sign in by any method. |
| Verified | Self-confirmed | Shown as a green Verified badge under Manage your account > General. |