Skip to main content

Moving to Access Identity authentication

Key information for customers moving to OIDC in Access Identity from other PeopleXD authentication methods.

I
Written by Isabelle Grey
Updated this week

Customers using SAML, AD, or LDAP

If your organisation has been using SAML, AD, or LDAP authentication methods to log in to PeopleXD, you now need to configure SSO using OIDC in Access Identity.

Is OIDC secure?

Yes. Configuring SSO using OIDC in Access Identity is a secure authentication approach.

You're still connecting your PeopleXD login experience to your existing Identity Provider (IDP). Only the underlying protocol connecting to your IDP is changing.

The benefits remain the same:

  • Passwords never pass through Access Identity. Authentication happens with your IDP.

  • Encrypted connections protect all data in transit.

  • Your corporate security policies remain in effect.

  • You maintain centralised control over how your users access your systems.

What's different?

The key difference is that SSO configuration is directly linked to the domain of the email address for each user logging in. It's not a system-wide setting for all users.

  • Multiple domains: Configure a security policy per domain. This provides greater flexibility where you require different authentication policies for different domains.

  • You don't own a user's email domain: You can't force an SSO authentication flow if you don't own the user's email domain.

Customers using PeopleXD ESS

ESS login allows users to sign in with a username and password. When you move to Access Identity, this uses email and password as the standard login method.

  • Email: The system uses the EMAIL contact type stored for each user in PeopleXD.

  • Password: You can configure password policies based on each user's email domain. This provides flexibility when different domains need different authentication policies.

📌Note: You cannot enforce a specific security policy if you don't own the user's email domain.

Users without email addresses

You should capture email addresses for all employees who need to log in to PeopleXD. Email addresses enable the most secure authentication approach and support key features:

  • Joiners: PeopleXD Evo sends automated invitations directly to the employee's email address. Employees complete their account setup and verify their email address as part of this process.

  • Forgotten passwords: Employees can use the Forgotten Password feature on the login screen. The system verifies their identity during the password reset process, following your organisation's password policy.

If you cannot provide an email address for an employee, you can set them up as the as a username account. This provides a limited authentication experience:

  • The system doesn't send automated invitations. Administrators must manually sync the user to Access Evo, set a temporary password, and share the login details.

  • Employees cannot use the Forgotten Password feature. Administrators must manually set a temporary password and provide it to the user.

  • The system applies only the default security policy. You cannot enforce two-factor authentication or company-specific password rules for these users.

Customers using two-factor authentication via Twilio

When you move to Access Identity, you no longer need a Twilio account. Access Identity provides two-factor authentication as a standard authentication option with three methods:

  • SMS: Users receive a token by SMS to their registered mobile number.

  • Authenticator app: Users complete a task in their chosen authenticator app.

  • FIDO2/UDF: Users authenticate using biometrics or a hardware security key.

You can configure your security policy to force two-factor or offer it as an option.

Forced two-factor authentication

Access Identity configures forced two-factor by email domain only. If your organisation has multiple domains, you can configure a security policy per domain. This gives you flexibility to apply different authentication policies for different domains.

⚠️Important: You cannot force an SSO authentication flow if you do not own the user's email domain.

Opt-in two-factor authentication

Users can configure their preferred two-factor method from the Access Identity login screen. They can choose from all three of the available methods.

Changes to self registration

Self registration in PeopleXD Security lets you control how you invite employees to complete their PeopleXD Portal account setup and enforce multi-factor authentication.

When you use Access Identity to log in to PeopleXD Evo, the self registration feature is no longer required. Access Identity handles user invitations, verification, and multi-factor authentication.

How it's managed in PeopleXD Evo

Invites

Access Evo manages user invitations directly and triggers them through the new joiner process in PeopleXD. You can create rules to define how and when you send invites.

Verification

Access Identity sends email invites to the employee's email address, including a link to complete their account setup. This process verifies the user as the account owner.

Multi-factor authentication

You define Access Identity security policies to control authentication for your users. You can configure two-factor authentication or single sign-on login flows to enforce multi-factor authentication for users. This is only possible where the user's email is based on a domain that you own.

Related Articles
Authentication overview
Set up a security policy - email and password users
Sync PeopleXD to an existing Access Evo organisation
Set up a security policy - SSO via OIDC users
Log in after the PeopleXD Evo update
Did this answer your question?