Authenticate users
Keep your Kustomer data safe using one of our supported authentication methods.Articles
Set up Microsoft single sign-on (SSO)
You can let users sign into Kustomer using their Microsoft account. With Microsoft Single Sign On, you can use Microsoft's infrastructure (via Azure Cloud) as an authorization source and ensure that your Kustomer data is kept safe. Our security policy lets you manage sign-on requirements in settings and restrict sign in permissions to a Microsoft account only.This allows you to use Microsoft as the single main repository for user administration and authorization. If you already have an active directory, you can link it up to Azure, which makes it easier for organizations that are already integrated with Microsoft to start using Kustomer. For more information on the OpenID Connect and OAuth 2.0 protocols used by Microsoft to implement authentication and authorization, see their article.Who can access this feature?User typesAdmins can access the Security page.To turn on Microsoft Single Sign On:Go to Settings > Security > Authentication.Turn on the toggle for Microsoft Single Sign On.Once this setting is turned on, members in your organization will have the option of selecting Sign in with Microsoft on the sign in page.They will be taken directly to the Microsoft login page where they can enter their Microsoft credentials.You can also choose to only allow Microsoft Sign in by turning off the Kustomer toggle in the Authentication page. If you turn the Kustomer option off, members in your organization will only be able to sign in to Kustomer using their Microsoft account.Set up Google single-sign on (SSO)
Our Google Login uses the Sign in with Google process that you already trust to keep your customer data even safer. Our security policy lets you manage sign-on requirements in settings and restrict login permissions to Google login only.Who can access this feature?User typesAdmins can access the Security page.To configure the Google Login in your Kustomer organization, go to Settings > Security > Authentication, and turn on the Google Single Sign On option.After you turn this setting on, team members can sign in to your Kustomer organization with Google by selecting the Sign in with Google button.You can also choose to only allow google sign in, by turning the Kustomer setting off. In this case, your team members will only be able to sign in to Kustomer by clicking the Sign in with Google button.Set up SAML authentication and SSO login
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. SAML SSO works by transferring the user’s identity from one place (the identity provider) to another (the service provider) through an exchange of digitally signed XML documents.Kustomer supports various SAML providers. The following is an example of one such integration using Okta, but these steps can be adapted to any other SAML provider.Who can access this feature?User typesAdmins or custom roles with Security access enabled can access this feature.In this articlePrerequisitesConfigure SAML in OktaConfigure SAML in KustomerAdvanced settingsPrerequisitesBefore following these steps in this guide, ensure that the SAML provider you are looking to hook into describes itself as an identity provider that performs SSO authentication. If the provider you are looking to integrate with is only an identity aggregator, you would need to make the configurations explained below in the application you are using for SSO authentication.Configure SAML in OktaLog into your Okta account as an Administrator, and then follow the steps below to complete the Kustomer App creation.Select Applications in the toolbar, then select Add Application.Select Create New App.A dialog labeled Create a New Application Integration will appear. In the Platform drop-down menu, select Web, and select SAML 2.0 as the Sign on method. Then, select Create.Enter Kustomer as your app name. You can download the Kustomer logo from our Brand Assets page for the App logo field. Select Next to proceed.A form titled SAML Settings will appear. Fill out the fields as follows, replacing [orgname] with the subdomain your organization uses for your Kustomer site:Single sign on URL: https://[orgname].api.kustomerapp.com/auth/saml/callbackAudience URI (SP Entity ID): https://[orgname].api.kustomerapp.com/auth/saml/metadataAll other fields can be left blank.Click Next at the bottom, then Finish on the following page.You will see the Settings for your Kustomer app. In the Sign On tab click View Setup Instructions.The page that appears contains an Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate. Leave this tab open while you access the Kustomer settings in another browser window.Configure SAML in KustomerTo finish configuring SAML, open Kustomer in another browser window so you can copy and paste the certificate details from the Okta site into Kustomer. Sign in to Kustomer as an admin, then navigate to Settings > Security > Authentication.Turn on the SAML Single Sign On setting.Copy the Identity Provider Single Sign-On URL, Identity Provider Issuer, and X.509 Certificate strings from the Okta settings into the corresponding fields in the Kustomer settings.Note: The user email address in Kustomer must match the one specified in your SSO settings.Once you finish the configuration, we recommend you log out of Kustomer and log back in via SAML to test that the configuration was set up correctly. Once confirmed, you can choose only to allow users to log in via SAML by going back to Settings > Security > Authentication and turning off the Kustomer setting. Turning this setting off means members in your organization will only be able to sign in to Kustomer using their SAML credentials.Advanced settingsYou can click Show advanced settings in the SAML Single Sign On settings to access additional configuration options.Force Authentication: Disabled by default. Enabling this requires the user to re-enter their Okta/SSO login credentials each time they want to access Kustomer. Re-authentication is required even if the user still has an active Single Sign On session with Okta or the identity provider.Sign Authentication Requests: Disabled by default. Enabling this will require Kustomer to send additional authorization keys to confirm access with Okta, and requires you to upload the Kustomer public certificate to your identity provider.Allow Unencrypted Assertions: Enabled by default. This determines whether or not the SAML assertion is encrypted. If you choose to disable this setting, you will then need to upload the Kustomer public certificate to Okta or the identity provider.Manage Kustomer session lifetime settings
Kustomer offers a variety of authentication settings that allow you to manage how users access your organization. The Kustomer Session Lifetime settings work outside of your Single Sign-On (SSO) settings, and control how long users stay authenticated before being required to sign in again. These settings can be customized to balance your organization's security needs while minimizing roadblocks to your agents' productivity.Who can access this feature?User typesAdmins can access the Security page.In this articleWhat is Session Lifetime?Manage Authentication settingsWhat is Session Lifetime?The Kustomer Session Lifetime settings govern how long users stay authenticated within Kustomer before being required to login again. This setting applies to the Kustomer platform as a whole, and operates independently of your organization's SSO settings.When a user signs in to Kustomer, they will remain logged in and will not be required to re-enter their credentials to access the platform, as long as they remain authenticated in their SSO system (if your organization uses SSO). When the session lifetime period elapses, the user will be required to log in again to Kustomer, even if they are still authenticated in your SSO system.By default, this period is set to 30 days. However, you can customize this login period to be shorter or longer to best meet the security needs of your organization. The Kustomer Session Lifetime can be set to any period of time specified in units of hours or days, with a minimum period of 1 hour. Note: Shorter periods may disrupt agents in the middle of their work by logging them out and forcing them to re-authenticate. This can be a frustrating roadblock for your team members who work predominantly in Kustomer. When modifying this setting, be sure to consider impact to agents.Manage Authentication settingsYou can control your organization's Session Lifetime options through the Authentication settings.Select Settings > Security > Authentication.Use the numeric and days/hours fields to adjust the desired session lifetime.When finished, select Save to apply these changes.
Still need help? Contact Us