We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

User accounts and passwords

In this article

    Let's look at how SuperID affects user accounts and passwords.

    Before SuperID

    • Each CRM Online user account has a separate password for each tenant.

    • A user equals an associate in the customer database.

    • The username can be any of the email addresses on the associate's person record.

    • Credentials are tenant-specific: 1 CRM Online user account + password belongs to 1 tenant only.

    • The password hash is unique to each associate and stored in the customer's credential record.

    • A centralized database of users is used to automatically redirect the users to the correct tenant the user belongs to.

    User admin:

    • Admin creates a new user in the Admin client and enters all details including an initial password.<<<

    • Any coworker can change the username and email address of any fellow coworker.

    • Passwords can be reset by the admin or by self-service.

    With SuperID

    • Each CRM Online user accounts can belong to 1 SuperID user account.

    • A user is a SuperID user linked to an associate in a customer database.

    • The SuperID username must be a valid email address! It is the same as the new username field on the associate record and in the Admin client.

    • Credentials are account-specific: 1 SuperID user account + password can belong to 0 or more tenants.

    • The password hash is unique for the person's SuperID account and stored in SuperID.

    • The sign-in page will list all tenants the account has access to (if more than 1) and the user must select which tenant to sign in to.

    User admin:

    • Admin registers a new user in the Admin client and the user will get a link to sign in. (You can set a global preference to not send welcome emails, but it should only be used in combination with federated sign-in (IdP).)

    • If the user attempts to sign in directly (not via link), they are sent to the IdP if set and otherwise they will get a code and need to validate their email address.

    • Only an admin in the primary tenant can change the username and email address.

    • Passwords can be reset by self-service or via email triggered by the admin. Only the user knows and sets their own human-readable password!

    When a tenant is migrated to SuperID, the password hash is transferred to SuperID. The 1st time the person signs in after migration, we generate and store a new hash. Thus, the old hash is only valid and used once before it is replaced.

    The SuperID sign-in service has 2 levels - basic and federated.

    The basic level of the SuperID sign-in service uses a password to authenticate like the standard sign-in service. However, this centralized model doesn't store passwords in the CRM Online database. It actually uses SuperID as the identity provider.

    SuperID supports using 3rd-party federated sign-in services as an add-on. You can choose either Microsoft or Google to authenticate. This is sometimes referred to as identity provider sign-in or SuperID with IdP.

    If the SuperID account is federated, the username must be the user principal name  (UPN) of the IdP (Microsoft or Google).