📌Note: You may already have authentication configured via Access Identity if you currently have an existing Access Evo (previously Access Workspace) organisation. As part of the pre-configuration checklist, you're prompted to reach out to your Access Evo administrator who should be able to confirm this. If authentication is already configured for your Access Evo organisation and your users, you don't need to review this article.
Access Identity definition
Access Identity is the authentication provider for Access Evo – Identity determines the security configuration, for example, password policies and timeout details to align with your organisation’s security policies, SSO configuration where required, and so on.
As all PeopleXD users are now customers of the Access Group, you too get to benefit from the security policies that we refer to as Access Identity.
This new login process is shared across the wide range of products offered by the Access Group and allows you to log into other products including Access Evo.
Benefits of Access Identity
Security Policies: Govern your whole domain and the users in the organisation through a security policy. Control users' session lengths, authentication for all users in the domain, such as password length, CAPTCHA and failed sign in attempts.
SSO: Single sign-on with OpenID Connect supported services through Federation.
Users can enable two factor authentication to add an additional layer of security on their account.
Mixed authentication: This is available because Authentication type is configured at the organisation’s email domain level as a Security Policy, for example, a customer could be SSO for the @companydomain1.com users and native or local for their @companydomain2.com users.
A security policy can be linked to multiple email domains, but an email domain can only be linked to one security policy.
Impersonation allows you to grant someone else the ability to sign into Access Evo as you without them having to know your password with
Authentication Types in Access Identity
To configure the required authentication type for each of your domains, review the relevant article below:
Two factor authentication:
Two factor authentication is available as standard with native or local Identity authentication.
The requirement to use two factor authentication is optional by default for a user. All users can enable two factor against their account.
To make two factor authentication mandatory for users against that policy, you can enable the Identity Security Policy called Force Two Factor Authentication Required.
Email Domains and Security Policies
In Access Identity, details such as password policies and session timeout for users are configured against a security policy.
The security policy is configured at the level of the organisation’s email domains.
You can only link a security policy to an email domain that the company owns. Domains like gmail.com are not valid.
At least one security policy must be configured to link to your domains.
If a security policy is not linked to a domain, then a default security policy is used.
The setup of the default security policy is detailed below and cannot be changed:
Setting | Value |
Users must sign in every | 8 hours |
Automatically extend the session if the user is active | Yes |
Access Tokens expire after | 1 hour |
Failed sign in attempts before temporary lockout | 3 attempts |
Lockout duration | 1 minute |
Stay signed in option allowed | Yes |
Allow Impersonation | Yes |
Allow user reveal password when entering | Yes |
Validation method | Advanced |
Require a strong password | Yes |
Minimum password length | 10 |
Use blacklist of known passwords | Yes |
Passwords expire after | Never |