This article describes the user authentication methods available in SMARTFENSE, along with the configuration of each option, including the platform's own authentication, Microsoft Entra ID, Google, Auth0, Okta, and Keycloak.
Configuration available on our platform in the Users and Groups > Authentication section
Selecting the Authentication Method
In this section, it is possible to select the authentication method that users will use to access SMARTFENSE:
From the SMARTFENSE platform
Microsoft Entra ID
Google
Auth0
Okta
Keycloak
SAML 2.0
| Note: it is only possible to authenticate users who exist within the SMARTFENSE platform and are active. This information can be checked in the Users section. |
From the SMARTFENSE platform
SMARTFENSE's own authentication Settings
SMARTFENSE's own authentication can be used in two ways:
Authentication with Credentials
Each user must enter a combination of username or email and password to access the platform.
Authentication without Credentials
End users do not need credentials.
They receive a unique link in each notification, which allows them to enter their campaigns directly.
| Note: if a user shares their unique link, it is equivalent to sharing their credentials. Administrative users must always use credentials; they cannot access the administrative view without authenticating. |
Options:
Authentication with credentials
Authentication without credentials
Authentication via Microsoft Entra ID
Configuring Authentication via Microsoft Entra ID
Authentication with Microsoft Entra ID can be configured in two ways:
All users can authenticate using Microsoft Entra ID.
Administrative users can also access with their SMARTFENSE credentials.
Administrative users can log in with Microsoft Entra ID or with their SMARTFENSE credentials.
End users do not require credentials: they are identified by a unique ID included in the links they receive in SMARTFENSE notifications.
This mode prevents end users from proactive use of the platform (they only access assigned campaigns and cannot view or configure their profile).
Options:
Authentication via Microsoft Entra ID for both End Users and Administrative Users
Authentication via Microsoft Entra ID for Administrative Users only
| Note: EntraID configuration is available in the configuration instruction button. |
Authentication from Google
Configuration Data
To connect Google with SMARTFENSE, you must enter:
Client ID
Client Secret Key
You can view the instructions to obtain this data at: Importing Users from Google
| Note: the rest of the information is requested for User Synchronization |
Auth0 Settings
Log in to https://auth0.com/.
Click on New Client to create a new application.
Choose Single Page Web Applications and click Create.
-
In the Settings tab, configure:
Application name: SMARTFENSE
Copy the values of Domain, Client ID, and Client Secret
Enter these data into SMARTFENSE in the corresponding fields.
In Allowed Callback URLs, enter:
https://instancia.takesecurity.com/complete/auth0/Click Save Changes.
Okta Configuration
Access the Okta administration console.
Go to Applications > Applications and click Create App Integration.
-
Select:
OpenID Connect under Sign-in method
Web Application under Application type
Complete General Settings with a name and optionally a logo.
Under Grant Type, select Authorization Code.
Add Sign-in redirect URIs:
https://instancia.takesecurity.com/complete/okta-openidconnect/Add Sign-out redirect URIs:
https://instancia.takesecurity.com/disconnect/okta-openidconnect/Select the desired option under Assignments and click Save.
Copy Client ID and Client Secret and paste them into SMARTFENSE.
Additional Configuration for Access from the Okta Dashboard
In General settings, select Either Okta or App under Login initiated by.
Go to Security > API and click Add Authorization Server.
-
Configure:
Name: SMARTFENSE
Audience: api://default
Description: SMARTFENSE Server
Under Access Policies, create a new policy named SMARTFENSE Login.
-
Under Rules, create a rule that includes the scopes:
openid
profile
email
Return to Security > API, copy the Issuer URI, and place it in SMARTFENSE.
Keycloak Configuration
Log in to the Keycloak Administration Console and select the corresponding Realm.
Copy the realm name and paste it into SMARTFENSE in the Realm field.
Under Clients → Create, assign a Client ID (without spaces or special characters).
Save, copy the Client ID, and paste it into SMARTFENSE.
-
Under Clients → smartfense-client → Settings → Capability config, enable:
Client authentication
Authorization
Under Clients → smartfense-client → Credentials, choose Client Id and Secret and copy the Secret.
-
In Fine Grain OpenID Connect Configuration, set:
User Info Signed Response Algorithm: RS256
Request Object Signature Algorithm: RS256
In Valid Redirect URIs, add:
https://instancia.takesecurity.com/complete/keycloak/*In Valid Post Logout Redirect URIs, add:
https://instancia.takesecurity.com/disconnect/keycloak/*Under Client Scopes → smartfense-client-dedicated → Mappers → Create, create a mapper of type Audience.
In Realm Settings → Keys, copy the Public Key (RS256) and paste it into SMARTFENSE.
Fields to complete in SMARTFENSE:
Realm
Keycloak Domain
Client ID
Client Secret
Public Key
SAML 2.0 Configuration
Access the administration console of your Identity Provider (IdP) and create a new SAML 2.0 application.
-
Configure the following Service Provider (SMARTFENSE) data in your IdP:
Entity ID (SP): copy the value shown in the Entity ID (SP) field on this screen.
ACS URL (Assertion Consumer Service): copy the value shown in the ACS URL field on this screen.
Configure the Name ID format in your IdP. It is mandatory to use Email as the Name ID format so that the user identifier matches the email address registered in SMARTFENSE.
Make sure your IdP sends at least the email attribute in the SAML assertion. This attribute will be used to associate the user with their SMARTFENSE account.
From your IdP, obtain the following data and complete the corresponding fields on this screen:
IdP Entity ID: unique identifier of the identity provider (also known as Issuer).
Single Sign-On Service URL: URL of the IdP’s SAML login endpoint (HTTP-Redirect or HTTP-POST).X.509
Public Certificate: IdP certificate used to sign SAML assertions. Paste it in PEM format without the BEGIN/END CERTIFICATE lines.
Fields provided by SMARTFENSE: Service Provider Data
Configure the following data in your Identity Provider.
Entity ID (SP):
ACS URL:
Fields to complete in SMARTFENSE: Identity Provider Data
IdP Entity ID, example: https://idp.example.com/metadata
Single Sign-On Service URL, example: https://idp.example.com/sso/saml
IdP X.509 Public Certificate.
Important: Users who authenticate via SAML 2.0 must already exist in SMARTFENSE with the same email address configured in the IdP. The platform does not automatically create users from SSO. |
💡 Best Practices
Choose the authentication method according to the organization's identity structure.
For SSO integrations, always verify the callback URLs before saving.
Keep keys (Client Secret, Public Key, etc.) in a secure repository.
Periodically review synchronizations (Google, Okta, Keycloak) to ensure consistency between directories.