Authentication & SSO
Asset Information Centre supports multiple authentication methods configured under Settings → Authentication.
Email / password
Enabled by default via Firebase Authentication. Users log in at /login.
Password reset flow:
/forgot-password— request reset email/auth/action— handle Firebase action links
Single sign-on (SSO)
Configure in Settings → Authentication:
| Provider | Configuration fields |
|---|---|
| Client ID, enabled toggle | |
| Microsoft | Client ID, tenant ID, enabled toggle |
| OpenID Connect | Provider ID, client ID, issuer URL |
Settings stored in Firestore: settings/auth
After enabling a provider, add the OAuth redirect URI from Firebase Console to your IdP configuration.
Multi-factor authentication (MFA)
Settings → Security → MFA Enrollment
- TOTP-based (compatible with Google Authenticator, Authy)
- Enforced per user via
userMfa/{uid}collection - Login flow redirects to MFA verification when enabled
Passkeys (WebAuthn)
- Register passkeys from user profile / security settings
- Stored in
passkeyCredentialsanduserPasskeys/{uid}/items - Passwordless login supported when passkey is registered
Requires HTTPS (or localhost for development).
Portal access flag
Users with portalAccess: "No" in their Firestore profile are blocked at login even with valid credentials.
Session behaviour
- Firebase Auth manages session tokens
- Session timeout configurable in Settings → Security
- Logout writes an audit log entry
Auth email templates
Settings → Authentication → Email templates
Customize password reset and notification email content stored in settings/authEmailTemplates.
First user bootstrap
There is no self-registration to Super Admin. The first Super Admin must be created manually in Firebase Console + Firestore. Subsequent users are created by administrators under Employees.