New Login Experience

In this article

    SuperOffice CRM Online login services

    The latest version of SuperOffice CRM Online introduces a new service which includes more features to help you handle how you log in to SuperOffice Online.

    You may read our article 'Everything you need to know about your SuperOffice CRM account' here.


    We now offer more than one login service - and this article will try to give you an overview of the available options, what is the features and benefits, and how each service is set up.

    This article will try to explain this on a high level - to make the choices more intuitive. Note, this article will only focus on specific end-user aspects of the services - and not all the technical details. Some of the information may not even be precise to achieve the purpose of giving a more userfriendly insight into each choice.

     

    The concept of all our login services has two levels:

    • A basic level: you use a password to authenticate
    • The option to connect to other federated login services; you use Microsoft or Google to authenticate.

    Multi-Factor Authentication ("MFA") / Two Factor Authentication ("2FA") is handled by the 3.party service through a 'federated login' service (like Microsoft Office365 and Google G Suite), and not by SuperOffice.

    By enabling a 'federated login' service, you also enabling MFA/2FA if the service supports this.

    CRM Online will send users to the correct place to authenticate.

    So, to log in:

    • First time users - will get an email with a link to get you going (adding you as a user to SuperOffice)
    • From then on - go to online.superoffice.com - add your email address and click next to authenticate
    • ..and you're in!

    And that is pretty much all you need to know.

     

    If you want to know a bit more, read on...:

     

    There are in principle 3 login services for CRM Online:

    1. The built-in standard login service
    2. The new SuperID login service
    3. The Cloud Document Integration login service (legacy)

    Each of these login services provides the admin user and the end-user with a set of feature sets. Some feature sets are overlapping, and some have configurable options to choose from.

    To change login service from one to another - there are some steps to perform.

     

    1. The built-in standard login service ("Standard SuperOffice")

    All CRM Online customers today use this service for logging in by default.

    In specific, the key features include:

    • One-to-One password: Each CRM Online user account has a separate password (per site: One CRM Online user account + password belongs to one site only)
    • Password is encrypted and saved within the database/site the user belongs to.
    • Passwords are maintained from the Admin client of the site. Only text string / key phrase is supported.

    A centralized database of users is used to redirect the users to the correct database/site the user belongs to.

    1. User logs in to online.superoffice.com using email address / username
    2. Username is inspected and forwarded to applicable service
      • The built-in standard login service ("Standard SuperOffice")
    3. User is asked for a password, and password is verified by identifying the correct site and authenticated
    4. User is logged in towards the correct site

     

    2. The new SuperID login service

    The SuperID login service has a basic level using a password, but SuperID supports to set up to use 3rd party federated login services as an add-on.

    Enabling SuperID for a site will enable the basic level of SuperId features. Enabling SuperID for a site must be performed by the Online Operations Team at the current stage: This will move credentials from the individual site to centralized storage.

    Enable and use basic login services of SuperId

    The basic level will provide the user with similar feature sets as the built-in standard login service (# 1 above) but is a centralized service which does not store the password in the CRM Online database/site (the login page actually uses SuperID as the identity provider (IDP)).


    To use SuperID authentication w/ basic login services you need:

    a) your site needs to be on the SuperID Plattform (and enables basic level).
    Easily done in this form.


    1. Online Operations Team configures the site to use SuperID
      • User details are moved to SuperID
    2. User logs in to online.superoffice.com using email address / username
    3. Username is inspected and forwarded to applicable service at https://id.superoffice.com/
      • The basic login services of SuperId
    4. User is asked for a password, and password is verified by authenticating towards SuperID
    5. User is logged in towards the correct site (choose site if the user is connected to multiple sites)

    In specific, the key features include:

    • One-to-Many user accounts: One or many CRM Online user accounts can belong to one SuperID user account (One CRM Online user account + password can belong to one or many sites)
    • Password is encrypted and saved centrally
    • Passwords are maintained from the id.superoffice.com (not from Admin client). Only text string / key phrase is supported.

    Note: At this point, we do not support moving a CRM Online site from SuperID back to built-in standard login service.

     

    Enable and use Federated login services of SuperId

    Today we support 2 different 3.party IDP providers; Google and Microsoft. For other IDP providers – please give your feedback – and we will look into adding support for it

    Due to there is now more than one of our login services that enables you to use your MS Office 365 or Google G Suite as the authentication service - which in turn gives you a different set of feature to use when logging into CRM Online - this can be a bit overwhelming and confusing.To use MS / Google to authenticate, your admin needs to decide on what type of features you require for your site, by either choosing SuperID authentication w/ federated login services or CloudOffice w/document handling features.

    To enable the option to connect to a federated login service requires 2 steps:

    To use SuperID authentication w/ federated login services you need:

    a) your site needs to be on the SuperID Plattform (and enables basic level).
    Easily done in this form.

    b) to register your IDP for your domain name to our systems first.
    Easily done by choosing your IDP provider and completing the login to your IDP here.

    Read more about the setup in this article:
    How to set up and configure SuperID

     

    1. Enable the site to use SuperId
    2. Register your domain name (so the login service knows which IDP to send your users to)

    1. Admin registers their identity provider at https://id.superoffice.com/identityprovider/register
    2. Their domain name and identity provider is registered

    Using a login service with IDP will be particularly valuable for those companies who have many users to administer. With the IDP features comes important services that will provide better management of users and improve your overall login experience.

    In specific, the key features of IDP includes (limited by the IDP's feature set and configuration):g

    • Multi-factor authentication (MFA) / Two-factor authentication (2FA) / Two-step verification
    • User authentication / login to CRM Online is leaner - uses your existing Office365 or G Suite credentials. No SuperOffice password
    • Automatic login if already logged in to Office 365 or Google G Suite (browser session)
    • Leaner administration of new and existing users from SO Admin: Just add Office 365 or Google G Suite user name - users get a welcome email with instructions on how to authenticate and log in
    • Handles user connected to multi-sites - handles users across all CRM Online sites - when logging into more than one site (choose the site to log into with one user-account )
    • Now Supports 'CloudOffice document integration' (Google G Suite /  Office365 SharePoint)

    1. User logs in to online.superoffice.com using email address / username
    2. Username is inspected and forwarded to applicable service at https://id.superoffice.com/
      • Google / Office365 / The basic login services of SuperId
    3. User is verified by authenticating by applicable service
      • Google / Office365 / The basic login services of SuperId
      • SuperID receives and stores this login session
    4. User is logged in towards the correct site (choose site if the user is connected to multiple sites)

    Note: At this point, we do not support moving a CRM Online site from SuperID back to built-in standard login service or to the Cloud Integration login service.

    The SuperId login service with its feature set can also be used (or will be in the future) by other products and type of services.

    We recommend for customers that plan to use Federated login services, to both enable SuperID and registering identity provider at the same time (or registering identity provider first) - to make the transition from built-in standard login service ("Standard SuperOffice") to Federated login services of SuperId as lean as possible ( = 1 operation for the end-user).

    Do I need to enable it 'for all' or can I enable it for 'individual users' :
    - Using SuperID as auth. method is enabled pr site (and not pr. user). (migrate the site to SuperId)
    - Using a password or federated login service - when SuperID is enabled based upon domain name registration - and that domain name needs to match users username.
    - Enabling MFA is feature by the federated login service only.
    So yes - some user can have federated login, and some password - but all users of this site but be converted to 'the new login experience' (SuperId).

    • More than one domain name
      • Some customers use more than one domain name for their users. Ie: contoso.dk + contoso.eu + contoso.onmicrosoft.com:

        - this can either be a 'Custom domain name', or a separate domain
        a) If it is a Custom domain name - Administrator of your AAD can sign in to the Azure portal for your directory, using an account with the Owner role for the subscription, and then select Azure Active Directory to get the list of these custom names. You may send this list to SuperOffice Support to get all these names registered by us manually.
        b) If it is another separate domain (subscription) - register this IDP for your domain name to our systems as normal Easily done by choosing your IDP provider and completing the login to your IDP here.

     

    3. The Cloud Document Integration login service (Google G Suite / Office 365 SharePoint) - Legacy

    This login service was used previously to support customers who used the Cloud Document Integration. Now, SuperId w/IDP also support Cloud Document Integration as an "add-on", and therefore all customer with this integration is moved to SuperID - and this service is legacy.

    Due to there is now more than one of our login services that enables you to use your MS Office 365 or Google G Suite as the authentication service - which in turn gives you a different set of feature to use when logging into CRM Online - this can be a bit overwhelming and confusing.

    To use MS / Google to authenticate, your admin needs to decide on what type of features you require for your site, by either choosing SuperID authentication w/ federated login services or Cloud Office with document handling features.

    The primary service they offer is:
    - cloud integration = document handling
    - superId = authentication

    SuperOffice CRM Online can integrate with Google G Suite and Microsoft Office 365 (SharePoint) document handling. These integrations are referred to as cloud document integrations. The integrations allow users (associates) to be authenticated by the cloud document service providers and documents to be managed by the respective cloud document service provider.

    Overall technical description can be found here.

    The Office365 and G Suite Document Integration app integrate the Office365 SharePoint’s and Google Drive's document management features with CRM Online so that you can create, store, and find your documents within SuperOffice, and enjoy the benefits of both SuperOffice and Office365 or G Suite services all in one place.

    Simply sign in to SuperOffice using your Office365 or Google login details and then open, edit and store documents in Office365 SharePoint or G Suite directly from SuperOffice.

    Office 365 Integration in SuperOffice App Store

    G Suite Integration in SuperOffice App Store

     

     

    To use Cloud Office with document handling features you need to:

    a) follow the guides for either:

    Setup - Office365 Integration

    Setup - G Suite Integration

    b) follow the guide for:

    Configure - Cloud Office document handling

     

    Federated Identity (FID) refers to where the user stores their credentials. In FID, a user's credentials are always stored with the "identity provider". When the user logs into a service, instead of providing credentials to the service provider, the service provider trusts the identity provider to validate the credentials. So the user never provides credentials directly to anybody but the identity provider. A federated identity is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.

    Single Sign-on (SSO) allows users to access multiple services with a single login: the user only has to provide credentials a single time per session and then gains access to multiple services without having to sign in again during that session.

     

    Changes in User Experience when going from Standard login to SuperId login

    For the End-User

    • New user / Frist time login
      • No change using a password
      • If admin enabled IDP - user can accept to use service on the first login
    • Logging in to CRM Online
      • No change using a password
      • If admin enabled IDP and user have accepted - the user is redirected to IDP to validate
    • Resetting password
      • Cannot ask Admin to perform
      • No change on 'Forgot password'  from CRM Online login page

    For the Admin User

    • New user / Frist time login
      • Cannot set users password in Admin
      • Welcome validation email is sent to the user automatically
      • If users are added from SuperOffice centrally - admin must approve through a link in email
      • Possibility to enable IDP (Google / MS) instead of a password
    • Resetting password
      • Admin cannot set the password
      • No change to function 'Reset password' in Admin
      • NOTE: if IDPis used - contact IDP admin to reset the users' password