User authentication

Users gain access to a Platform tenant when an administrator creates a User record for them. The record includes a user name, which must be unique for the tenant, and an email address. Platform sends a welcome email to that address. In case of public cloud, the mail contains a temporary password that the system generates. This password must be changed during the first login. Neither the administrator nor Platform personnel have access to user passwords. In case of private cloud, the email has an account activation link.

Note: The tenant level Turn off Welcome Email preference must be unset to receive welcome emails. See Configuring Administrative Preferences for more information. By Default, a user with No Access role will not receive a welcome email.

If you do not want to send a welcome email immediately after creating a user, you can do so by adding the Send Welcome Email checkbox to the create user page and unselecting it (by default, selected). After you make the required user settings, you can edit a user record and select the Send Welcome Email checkbox (by default, unselected) to send a welcome email.

Note:

In a user record list view, the group actions menu offers options for sending welcome emails to selected users. Even if selected, users with role as No Access will not receive a welcome email.
Alternatively, you can send a welcome email to a user by selecting Send Welcome Email option from the More Actions menu of a user record view page. The Send Welcome Email option will not be seen for a user with role as No Access.

When a user logs in, Platform issues a session cookie to record encrypted authentication information for the duration of a specific session. The session cookie does not include the user's password. Platform does not use cookies to store other confidential user and session information, but instead implements more advanced security methods based on dynamic data and encoded session IDs. Additionally, Platform implements HTTPOnly cookies that direct browsers to expose the cookie only to HTTP and HTTPS requests.

A user can have only one Platform session open at a time. If a user logs in again in a different browser, Platform terminates any previously opened Platform sessions (the only exception to this is API sessions).

Both Hosted Platform and Platform Private Cloud include the following authentication features:

A user can reset a forgotten password.
You can limit user logins to a configured set of IP addresses.

Platform Private Cloud allows you to configure the authentication method and several other aspects of user authentication. For more information, see Private Cloud security and access control.