AuthN is an IDP. This means that for every integration the logs are provided by the service provider (e.g. Microsoft, Google, Salesforce, etc.). Please refer to the documentation of the service provider to obtain the logs.

Yes. AuthN by IDEE is passwordless. Nevertheless, to ensure compatability with SAML integrations we enable PasswordProtectedTransport.

Yes. AuthN by IDEE is passwordless. Nevertheless, to ensure compatability with SAML integrations we enable PasswordProtectedTransport.

An invited admin is allowed to invite new users to their own integration(s).

Only the owner of an integration can add/invite another admin.

No, you can invite admins with any email address.

Currently , only an existing admin can receive an invitation.

Please make sure that the admin you want to invite is already registered on our Integration Portal.

Yes, you can get a branded setup for your integrations, inlcuding app, login pages, emails, and self-service portal.

It may take up to 5 minutes for changes to apply. If the integration after 5 minutes is still not taking effect please make sure your integration details are correct.

A backup allows the admin to add a new device to their account using the backup code. Thereafter, the admin has full access to their account.

Without a backup code a new device can only be added by proving possession of the mailbox and then resetting your account. Resetting your account means all existing devices are deleted and admin access on the account is revoked. To regain admin access on the account, please submit a support ticket here: https://www.getidee.com/support

Go to https://authn.getidee.de and scan the QR-Code with the App. You can either use AuthN by IDEE app or your branded AuthN App from IDEE.

You can use the AuthN app or your branded app.

Yes. In order to use the Integration Portal with your authenticator, you need to use the same email address you used when registering for the Integration Portal with your authenticator. Your email address is your account identifier.

If you recently reset your account, access to your Integration Portal was removed. Please create a ticket here to regain access: https://www.getidee.com/support.

The system administrator that is responsible for a specific integration(s) should create an account on the Integration Portal. In order to share an integration with another adminstrator, each adminstrator needs to create an account on the Integration Portal prior to sharing.

To test AuthN with Mircosoft products, we recommend setting up a separate domain and using the Integration Portal.

Once the integration is setup, the user is automatically re-directed to the AuthN login page or the branded login page. On the login page the user is then asked to follow the setps to enable Secure Magic-Link, Web-AuthN or the AuthN app depending on the configuration. Thereafter, the user can instantly login to the application.

Once the user is deleted on your IAM system, the user can no longer access any of your systems. Our clients can automatically delete that account on IDEE by leveraging SCIM.

The root account of your domain cannot be federated. For example, the Microsoft Azure AD root account, onmicrosoft.com, is always accessible by using your username, password, and token.

The invitation link can only be used once by the user who has received the link. The link is tied to the email address that was used when it was created. The user cannot change it.

Please use the following command: Set-MsolDomainAuthentication -DomainName $domain -Authentication managed

For domains that are Azure AD only and federated, it is currently not possible to login directly to the domain from a PC. The user needs to log-in to a local account on the PC first and then go under Settings\System\About and click on Join Azure AD. Thereafter the user can follow the Web-AuthN or AuthN registration flow to add the PC to the domain.

Once an Azure AD is federated, users need to be added using Microsoft Graph Explorer. Here are the steps for the Microsoft Graph Explorer:

1. Sign into the Microsoft Graph Explorer here (https://developer.microsoft.com/en-us/graph/graph-explorer) using your Azure admin account.

2. After you have signed in click on the 3 dots next to your profile and 'SELECT PERMISSIONS.

3. Please add the following permissions: User.ReadWrite.All and Directory.ReadWrite.All.

4. Go to Sample Queries. Find and select  'CREATE USER' which will create an example in JSON.

5. Please copy the following code and update it to the user's particulars to create the user:

{​​

 "accountEnabled": true,

 "displayName": "FirstName LastName",

 "mailNickname": "username",

 "onPremisesImmutableId": "username@example.com",

 "userPrincipalName": "username@example.com",

 "mail": "username@example.com",

 "givenName": "FirstName",

 "surname": "LastName",

 "passwordProfile" : {​​​​​​​​​

   "forceChangePasswordNextSignIn": true,

   "password": "<password>"

 }​​​​​​​​​​​​​​​​

}​​​​​​​​​​​​​​​​

‍

Please create a ticket here to report a bug or make a feature request: https://www.getidee.com/support/product-request

Please create a ticket here to report a security incident: https://www.getidee.com/support/report-security-incident

The AuthN app works on any smartphone or tablet with the following OS versions:

- Android version 6.0 or higher

- Apple iPhone with IOS 11 or higher

Web-AuthN works on any computer with a TPM chip (internal or external) and the following browsers:

- Microsoft Edge

- Chrome

- Safari

- Internet Explorer 7 or higher

Currently, we support one account per authenticator app. If you choose the branded option, you can use our AuthN app and your branded app. This way you can use two different accounts.

A work around for Android:Certain phones with Android 10 and later support Dual-apps. With this feature you can use AuthN in dual-app mode to access two separate mailboxes.

A general work around:M365 offers delegated access. You can find the M365 documentation here: https://support.microsoft.com/en-gb/office/access-another-person-s-mailbox-a909ad30-e413-40b5-a487-0ea70b763081#__toc372210362"

With Web-AuthN, multiple accounts can be setup on a single device.

Each adminstrator can share their integration(s) with other adminstrators via the Integration Portal. Sharing is only possible if the other adminstrator has an account on the Integration Portal.

To enable app passwords on Azure, please enable and enforce Azure MFA. Here is additonal information about app passwords: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-app-passwords

Once a Microsoft domain is federated, it needs a few minutes to replicate the changes and start redirecting to AuthN login page. Please be patient. Go have a coffee!!

When a domain is federated it is not possible to create users on that domain through Azure Portal.

However, it is possible to create new users using Graph Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer

Sign into Graph Explorer using an Azure admin account, and add required permissions. For managing users User.ReadWrite.All and Directory.ReadWrite.All permissions are required. Please follow these steps:

1. Find and select "create user" sample query.

2. Copy and edit request body from below:

{

 "accountEnabled": true,

 "displayName": "FirstName LastName",

 "mailNickname": "username",

 "onPremisesImmutableId": "username@example.com",

 "userPrincipalName": "username@example.com",

 "mail": "username@example.com",

 "givenName": "FirstName",

 "surname": "LastName",

 "passwordProfile" : {

  "forceChangePasswordNextSignIn": true,

  "password": "<password>"

   }

}

3. Click on "Run query"

If your account has active integrations on the Integration Portal you are not allowed to delete your account. You first need to go to the Integration Portal and delete all active integrations or create a ticket to transfer all integrations to another admin. You also need to revoke access to integrations you have shared with other admins. Thereafter, you can delete your account via the Self-service Portal (SSP).

Please ask an admin who is managing your email integration with AuthN to send you a one-time use magic-link for account recovery. This will allow you to enable your AuthN app as an authenticator. Thereafter you can access your mailbox by using AuthN.

If you do not have your backup code you need to reset your account. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.

Please ask an admin who is managing your email integration with AuthN to send you a one-time use magic-link for account recovery. Thereafter, you can reset your account and enable AuthN. Once AuthN is enabled you can authenticate to your mailbox. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.

All authenticator devices are deleted and access to the Integration Portal is removed. You need to contact IDEE to regain access to the Integration Portal. To obtain access to your integrations on the Integration Portal, please create a ticket here: https://www.getidee.com/support.

Please check if you have an anti virus software enabled that automatically clicks on links in emails. If yes, please disable it for internet and try again.

App passwords created for service accounts prior to switching the domain from managed to federated will continue to work. If new app passwords need to be created, the admin needs to login to the service account and create new app passwords. When the admin tries to login to a service account, they will need to authenticate with AuthN.

Please ask an admin to send you a one-time use magic-link to login to your service account using Web-AuthN.

Yes. However, once you delete/disable an enterprise account, the user will no longer have access to your data.

No, when an enterprise account is deleted that account needs to be deleted manually on IDEE services (Integration Portal, AuthN User). However, when an account is deleted on your IAM platform, the user no longer can access your data.

User should ask an admin to send them a one-time use magic-link for account recovery. This link will allow them to setup a new authenticator device and thereafter you can access your mailbox.

Please ensure that the user has an internet connection. Also ensure that the VPN, firewall, proxy setups are not interfering with access to the IDEE service. Finally, if all else is working please ask the user to disable and enable the lock screen again.

Please check if the user has entered the correct email. Thereafter, please ensure IDEE is added to your whitelist, so that emails are not stuck in spam or quarantine.

On a Windows PC please enable Windows Hello. On a Mac please enable TouchID. On an iOS, iPadOS, Android device please enable system lock.

All existing devices on that account and any backups are deleted.

On the phone, go to Settings / Users & accounts / Work account and remove the email you are using to login and try to log in again.

There are two benefits.

1) A user can add a new device by using the PID (backup code) instead of approving via a push from an existing device.

2) Once a backup is created, a user can only reset their account by using an invite link from their adminstrator. A user is unable to reset their account by themselves. This adds addition protection for the user against account take over.

Web-AuthN is available on Safari on a MacMini when using a keyboard with TouchID. Alternatively, the user can use Chrome to have the Web-AuthN option.

The account language is based on the device language when the account was created and it is automatically set. It cannot be changed.

The app language is based on the device language when the device was added and it is automatically set. It cannot be changed.

Users can delete their device from their Self-Service Portal or from within the authenticator app.

On the Web-AuthN login page select Enable Another Account option to setup additional accounts on the same device.

AuthN does not work without a device lock. Please enable device lock on your tablet, smartphone or computer. For iOS, iPadOS, and Android you need to enable screen lock, for your PC please enable Windows Hello, and for your Mac please enable TouchID.

If you disable device lock on your tablet, smartphone, or computer, AuthN will no longer function. You will have re-enable your device as an authenticator.

All authenticator devices are deleted from the users account. The user can thereafter add devices to his/her account.

Users should ask an admin who is managing this email integration with AuthN to send them a one-time use magic-link for account recovery. This will allow them to enable their AuthN app as an authenticator. Thereafter the users can access their mailbox by using AuthN.

Probably there are multiple keys for your account stored in the TPM. Here is a guide how to delete them on a Windows PC:

1. Run CMD as administrator → type ‘Command Prompt’ in search bar on Windows, right click and select ‘Run as administrator'

2. In the CMD screen type: certutil -csp NGC -key

This will list all the keys. You’ll see the key in this format: `<sid>/<guid>/FIDO_AUTHENTICATOR//<rpIdHash>_<user id>`

3. Copy the key manually (without the ‘RSA’ at the end), and type in the next command providing the copied key:

certutil -csp NGC -delkey <key>

Press enter.

You should see ‘CertUtil: -delkey command completed successfully’

4. Repeat 3. step for every key.

‍

Here is a guide how to delete them on a Mac:

‍

1. Go to Safari > History

2. Click on Clear History. Please note this will clear all your History in addition to deleting your Web-AuthN keys.

Go to Settings -> Safari -> Request Desktop Website -> All websites.

Web-AuthN is currently not supported on Chrome Incognito mode on Windows 10 20H2. It is however supported on MacOS 11.6 and later.

Click on the cancel button and this will take you to the next window where you need to unlock your PC to authenticate to your website.

In order to use Web-AuthN on Safari on a Mac, the user must enable TouchID. Please enable TouchID on your Mac and try again.

Click outside of the pop-up and you will get an error, "Something went wrong. Please try again." Now click on login and unlock your phone to authenticate to the website. This is a known bug on iOS and it has been reported to Apple.

Switch to another app and go back to Safari and you will get an error, "Something went wrong. Please try again." Now click on login and unlock your phone to authenticate to the website. This is a known bug on iPadOS and it has been reported to Apple.

No problem.  We offer offline login.