Out of the box, users can log into the Esper Console using an email and password or Google Sign-on. In addition, Esper offers ways to integrate single sign-on (SSO) through an Identity Provider (IdP). In this article, we explain how our authentication system works and offer a few security best practices for creating a more secure platform. Maintaining security best practices helps to reduce risk from untrusted sources, keeps systems resilient to organizational shifts, and promotes trust from end users and business partners.
In this article:
How the Authentication System Works
Esper supports the following methods to authenticate users:
- Email and Password
- Google Sign-on
- SAML-based SSO (via an Identity Provider)
- OIDC-based SSO (via an Identity Provider)
SSO Flow
Enterprise admins can choose to invite users through an IdP, through email/password, or through Google Sign-on. Once SSO through an IdP is set up, Admins can switch to only allow logins via SSO.
How to Invite Users with Email/Password and Google Sign-on
Once an Esper tenant is created, Enterprise Administrators can invite new team members by sending them an email invitation. After accepting an invitation, users can log in with an email address and password, or their Google single sign-on account. Users will need another invitation to log in with a different method.
Sign-in Types are Treated as Different Accounts
Administrators can see who logs in User Management > Verified Users, as well as the login methods they used.
In this example, the cupcake@esper.io user has two login methods, Google authentication and Esper Credentials (email/password).
The Google account will be treated as a different account from Esper credentials. If a user created an API key in their Google account, they won’t be able to view it in their Esper credentials account. The accounts can also have different roles. Find out more about user roles in Introduction to User Management.
Users Can Log in to Multiple Tenants with the Same Credentials
If you have access to multiple tenants, you can use the same credentials to log in. No need to change your password when accessing a different tenant.
Best Practices
Create an API Key Management Account
Create an Enterprise Administrator account specifically for API Key management. That way, no matter who leaves your organization, the API Keys will stay active.
The API Management account should be administered by your organization, meaning it should have its own email account (for example, APIAdmin@yourorganization.io). Then, invite the account to Esper. When a new API Key needs to be created, create the key in the API Management account and administer it to the user.
Creating a single API Key Management account also enables admins to delete keys from a central account. For this reason, we recommend naming the keys based on their purpose and creating different keys for different purposes.
About Switching to SSO-Only
For organizations that use an IdP, we recommend switching to SSO-only after connecting the Esper Console to your IdP. Once switched, users will only be able to log in through the SSO method. Other sign-in methods will be disabled.
If all authentication methods are enabled, admins will need to maintain to the following:
- Email/Password accounts
- Google Sign-on accounts
- SSO accounts
A single user could have three accounts in the tenant, which may be difficult to maintain at scale. Switching to SSO-only will restrict each user to one account.
Learn more about switching to SSO.
Conclusion
Maintaining user accounts is one part of creating a more secure system. Esper provides a variety of ways to authenticate users. Talk with your organization to determine which methods work best for your teams.