Skip to main content

Authentication & SSO

Asset Information Centre supports multiple authentication methods configured under Settings → Authentication.

Email / password

Enabled by default via Firebase Authentication. Users log in at /login.

Password reset flow:

  • /forgot-password — request reset email
  • /auth/action — handle Firebase action links

Single sign-on (SSO)

Configure in Settings → Authentication:

ProviderConfiguration fields
GoogleClient ID, enabled toggle
MicrosoftClient ID, tenant ID, enabled toggle
OpenID ConnectProvider ID, client ID, issuer URL

Settings stored in Firestore: settings/auth

After enabling a provider, add the OAuth redirect URI from Firebase Console to your IdP configuration.

Multi-factor authentication (MFA)

Settings → Security → MFA Enrollment

  • TOTP-based (compatible with Google Authenticator, Authy)
  • Enforced per user via userMfa/{uid} collection
  • Login flow redirects to MFA verification when enabled

Passkeys (WebAuthn)

  • Register passkeys from user profile / security settings
  • Stored in passkeyCredentials and userPasskeys/{uid}/items
  • Passwordless login supported when passkey is registered

Requires HTTPS (or localhost for development).

Portal access flag

Users with portalAccess: "No" in their Firestore profile are blocked at login even with valid credentials.

Session behaviour

  • Firebase Auth manages session tokens
  • Session timeout configurable in Settings → Security
  • Logout writes an audit log entry

Auth email templates

Settings → Authentication → Email templates

Customize password reset and notification email content stored in settings/authEmailTemplates.

First user bootstrap

There is no self-registration to Super Admin. The first Super Admin must be created manually in Firebase Console + Firestore. Subsequent users are created by administrators under Employees.

Role Permissions