Core EOS is a malleable SaaS authentication and authorization provider that will allow you to define solutions for a number of business and technology scenarios.
This is because Core EOS is a complete and full featured OIDC solution that allows for a number of client and authorization flow configurations both through the UI and directly through the published REST API.
Whether you are configuring simple client credential access for your microservices, PKCE code authorization for your SPAs and mobile apps, implicit grants for your web solutions, or even device flows for IoT, the OIDC features of Core EOS have you covered.
You can access many of the configurations available to you, including a full OIDC Client Manager, by clicking “Settings” at the top of the screen while logged into Core and then clicking “Identity”. If you are looking for a setting that is not there, let us know! We are constantly adding, updating, and making new features available.
Core EOS allows for a single login to work across all integrated products. In other words, one account with credentials that provides access to every product at your company, and the Core EOS portal itself for self-service screen.
This feature is possible because Core EOS is a secure OIDC provider behind the scenes (in addition to its other features) that manages all logins and sessions. While other login specifications (non-OIDC) are made available through Core EOS, these specifications are added through adapters so that behind the scenes, Core manages the session and tokens as it would for an OIDC login. These logins are then secured on the client browser to the specific Platform (Auth Group) instance.
You can manage your products and associated Login Services in Core by clicking “Products” on the left nav of the screen.
Multi-factor authentication (MFA) is table stakes functionality and it is absolutely available with Core EOS through our partnership with Privakey, a trusted member of our Transformation Partner Network.
Our solution is a biometric enabled MFA that is tied to your fingerprint or facial recognition on your device. You and your users can download the Auth Wallet App that enables the feature on your mobile device from the iOS or Google Play store. Alternatively, if you’d like to take your platform experience to a new level, we can create a custom branded authorization app that you can release under your own name in the iOS or Android store (additional costs associated with custom branded auth wallet apps).
You can make Biometric MFA available to all of your users by going to “Settings” at the top of the screen when logged into Core EOS and click “Identity”. From there scroll down to “Multi Factor Authentication” and flip the toggle to enable. Click the instructions overview to setup your platform appropriately. At this point, you may either enforce MFA for all users, forcing them through a setup step on their next logins, or you may leave it as an opt-in feature.
If you have not enforced MFA, users can enable MFA for their accounts by logging into the Core EOS portal and clicking “Account” at the top left of the portal screen. From their, click “Setting” on the left sub-navigation, and then click “Enable MFA”. They will be walked through setup in 4 easy steps.
Earlier we said that Core EOS is an OpenID Connect (OIDC) provider. That’s true except for one important detail. Unlike our competitors, we believe that a user’s privacy is more important than any business need. We created biometric secured profiles to protect our users… and your users.
What this means is that you can’t simply request a user’s profile information as part of a login or query it on demand. Instead, we have built a secondary request system outside of the login flow. Any user or organization on your platform can request the personal profile information of another user, and that user is fully in control to either approve or deny the request.
If the user in question has MFA enabled, the request is routed to both their dashboard and their device, where only through a biometric authorized action they can approve or deny the request. If they do not have MFA enabled, they can see and respond to all requests in their Core EOS Account dashboard.
Not even a system admin can bypass a secured profile.
If you’re worried that this presents a hurdle to implementation, don’t be. We’ve made this system robust. The secured profile API allows you to set up direct access requests and callback data transmission requests, all triggered through the user’s approval.
As an admin, or someone who has been granted User view permissions, you can request secured profile access of users by opening “Users” from the left navigation, clicking “All Users”, and scrolling down to the user whose profile you wish to access. Click the user and simply click “Request secure profile access”.
Role-based access (RBAC) is a common feature in the world of authentication and authorization. In and of itself, this feature is minimally useful, because you have to get really creative to use it in a multi-product SaaS environment. This is especially true with a lot of our competitors. We decided to fix this.
Core EOS provides a solution to map every product in your company, define fine-grained permissions that manage just about anything you need in those products, and then define product specific roles that group those permissions. From here, you can simply license these products to customers and domains, and then configure users with the appropriate customer, domain, and role information.
All of the configuration information is then provided through the OIDC token when you request the “access” scope.
To create and manage products, roles, or permissions, simply click the corresponding left nav menu item of “Product”, “Permissions”, or “Roles”.
One of the many things our competitors generally force you to manage yourself is the mapping of products to your customer tenants. This becomes especially problematic in a multi-product SaaS organization because you MUST answer the question of which user, has access to which customer, that licensed and has access to which product.
We decided you shouldn’t have to manage this on your own, and we designed Core EOS to manage a list of your organizations (customers, departments, etc) and the products they’ve licensed. Now you can very clearly define which products a user should be able to access when they’ve been given access to a customer. You can also define domains of an organization and further subsect product assignments/licensing across those domains. Domains are the mechanism of product access. Once a product is assigned to a domain, that domain can then be assigned to a user, which give the user access.
We even went further and built in the ability for you or your customers to define custom roles for your products within the bounds of their tenant.
To define product licensing for an organization, simply click “Organizations” from the left nav. Choose an organization you’d like to license a product to, and click “Licensed Products”. From here you can choose one of your products from the drop own and click “Add” to license. Once added, you can further manage roles for that product specific to this organization by clicking “Roles” under the product name in the list.
This solution is entirely accessible via API so you can further integrate your CRM solution. We’re happy to help you build a connector, reach out.
We have showcased a two features on this page that on their own are pretty striking:
The real magic of Core EOS Modern Identity comes when you combine B2B user management with the features above. Product specific roles and permissions let you define your ecosystem. Product access managed customers define the landscape of customers, domains, and products. B2B user management across customers lets you define for every user in your platform, which customers they’ve been given access to, which domains and subsequent products they should see upon access, and what roles and permissions they have once authorized, all in an extremely intuitive user experience that lets you manage one user at a time or multiple bulk users. This is new… you haven’t seen it before. And it's going to save you months, if not years, of development time.
You can access this feature by simply clicking “Users” on the left navigation. When you do, you’ll see that the user list has two segments: “All Users” and “Organizations”. The organizations are those which you’ve added and licensed products to already. Simply click the organization you want to add users to and you will then be able to either add an existing user or create a new user on the platform and simultaneously add them to the organization, by typing their email address in the input field at the top of the middle column.
Once added, click the user’s email address and you will see information about them including an organization profile (not the same as a secured profile), and all of their access. Under the “Access” section of the window, simply toggle the “Domain” you’d like them to access. This action will automatically give them access to the products which populate under the “Products” section. From there, you can further refine access by adding the roles you wish for them to have within any given product by clicking the product and toggling the desired role under “Assignments”. Now click “Update Access”.
Once again, all of this information will be made available through the OIDC access token on login by requesting the “access” scope.
While we want to ensure that a user’s personal information is secure, the B2B SaaS world has a unique challenge that needs a solution. Your customers will likely want to store and manage information about the people (employees, contractors, etc.) they allow to access their licensed solutions. They may even want to map this data to their own internal HR records and IDs. We call these organization profiles.
Organization profiles look very similar to secured profiles, but they are controlled by the organization administrator and are not directly linked in anyway to the secure profile of the user. An organization admin can ask to sync a user’s secure profile with the organization profile, but the user may refuse. Regardless, the organization admin is free to define information about the user in the organization profile.
Users are not completely divorced from associated organization profiles. Through the account dashboard, a user can see all organization profiles that have been linked to their account. They can also request that such a profile be deleted, though ultimately this is up to the organization admin.
To create or modify a user’s organization profile, click “Users” from the left navigation and choose the desired organization from the list available in the window. Click the appropriate user’s email address and you will see organization profile fields in the middle column. Updates are auto saved.
Core EOS provides account management screens so users can self manage their credentials, their MFA, their notifications, and more, without you having to build those screen.
This is possible because Core EOS is designed as an access adaptive UI. That's just a fancy way of saying that the UI recognizes the permissions of a user that signs into the portal and adjusts what is visible and accessible on the screen to match. In other words, if a user without any privileges to manage Core EOS resources signs into the Core portal, it's perfectly safe.
You can simply link users from your products to the Core EOS portal by creating a hyperlink to core.unitedeffects.com/YOUR-PLATFORM-ALIAS. Alternatively, if you’ve defined a custom domain for the UI, you can use that URL.
Because Core EOS operates as just another product within your suite of SSO enabled products, the user will already be authenticated and may simply need to authorize access with a button click.
All users will always have access to their Account Dashboard where they can manage their own information and configurations. To access the dashboard, simply click “Account” on the upper left of the Core EOS window.
If desired, it is also possible to create custom UI components using our REST API.
Core EOS allows you to define admins for your organizations (customers) that can then access the Core EOS portal and self manage their own customer configurations, including configuring their own federated SSO without you having to do anything.
Users that have been given admin privileges to an organization will be able to see the “Users” and “Organizations” left nav options when they access the Core EOS portal.
They can manage details about their organization by clicking “Organization”. There they can define basic information about the company, contact information, restrict access to specific email domains, and even define terms of access that users must agree to prior to being added to their organization.
They can further define their own SSO configuration for their in-house OIDC or OAuth2 solution, without you having to do anything. Other popular formats are coming, but if you need something specific let us know!
When the admin then clicks “Users”, they can actually search for and add users to the organization and define access to the products they’ve licensed without any overhead from your customer success teams.
All of these screens are ready to go and can be accessed simply by directing these users to your Core EOS instance which lives at core.unitedeffects.com/YOUR-PLATFORM-ALIAS, or if you have a custom domain for the UI, that URL.
When we say that we want Core EOS to be YOUR platform, we aren’t kidding. Once you sign up, you can use your own name, logo, and background image to brand the experience. Additionally, you can define custom domains so the URLs users see are for your company.
Custom domains are available both for the UI (core.unitedeffects.com) and the backend OIDC provider (auth.unitedeffects.com).
To request custom domains, click “Settings” in the upper left of the Core EOS window and navigate to “Branding”. Enter the “Custom Domains” wizard and follow the on-screen instructions.
You will be provided with a TXT record you must implement on your registrar so we can confirm your ownership of the domain, and CNAMES to point your custom domains for UI and OIDC to so we can appropriately route the requests. Our solution will handle SSL.