Enhanced Authentication System: What You Need to Know

We're going to be upgrading our authentication system to an industry-standard solution that enhances security, improves user experience, and ensures long-term reliability. This new system makes your login safer, easier, and ready for the future.

By adopting a widely recognized authentication framework, we ensure compliance with modern security requirements while delivering a smooth and secure experience.

The new authentication system will be introduced gradually. Since you'll need to make some changes to your authentication settings before the change, we recommend you start preparing these already now to ensure you're ready when the time comes.

Private cloud customers don't need to take any action at this time and will be provided with more information later.

What is changing?

The new authentication system update includes these changes:

New permanent login domain: When users access your platform and are not logged in, they will first be directed to auth.haiilo.app (EU Cloud) or auth-na.haiilo.app (US Cloud) to log in. After a successful login, they will be redirected back to your platform's domain. This updated login process applies to all Public Cloud users, whether they are on haiilo.app, coyocloud.com, or using a custom domain.
No session emails: Users won't receive email notifications when logging in on a new device anymore. However, they can still see their active sessions in their account settings.
Goodbye just-in-time sync for LDAP & AD: If you use an LDAP or Active Directory user directory with just-in-time sync enabled, it will no longer be available. Instead, users will be created during the scheduled job. If you haven't set up an automatic schedule for the user directory, please do so now. Learn more in User directory: Active Directory & LDAP. Please note that SAML JIT remains unaffected.

What does this mean for our users?

Good news! Your end users shouldn't notice any changes with this authentication update–apart from the login domain changing.

The main features of the login screen and login process stay the same, so the login experience remains familiar. While there may be slight visual updates to the login flow, all important elements like your company logo and colors will stay intact.

Although we aim to keep changes minimal, we cannot guarantee that existing custom CSS will remain fully compatible. If you use custom CSS on the login screen, we recommend visiting <your-intranet-domain>/web/auth/v2/preview to review the new login screen and adjust your CSS customizations as needed.

What do I need to do?

To ensure a smooth update, you'll need to take some action:

Whitelist the new domain: Ensure the new domain is accessible within your IT environment to prevent login issues. Ask your IT team to whitelist the domain for your entire workforce. You only need to whitelist the domain for the cloud that you are using:
- Whitelist this domain if you're on the EU Cloud: auth.haiilo.app
- Whitelist this domain if you're on the US Cloud: auth-na.haiilo.app
Update authentication configuration: Depending on the authentication provider you're using in Haiilo, you'll also need to update your configuration within your Identity Provider (IdP). Jump to the section based on the authentication provider you use:
- Changes to do: OpenID authentication provider
- Changes to do: SAML authentication provider
Contact our Service Desk: After making your changes, submit a ticket to our Customer Support team and we'll complete an operation check to make sure all is functioning correctly and inform you of when your platform will be migrated to the new authentication system.

Changes to do: OpenID authentication provider

If you're using an OpenID Connect authentication provider to access your platform, you need to make the following configuration change: Add the new redirect URL to your IdP configuration in addition to the current one.

To ensure a seamless transition, update your IdP configuration to include the new redirect URL, and keep the current URL active as well. These are the steps involved:

On Haiilo, go to Administration > Authentication.
Edit your authentication provider configuration. If you use multiple OpenID authentication providers, you need to check each one individually.
Scroll down to the bottom of the configuration.
You'll see a new Important: Upcoming Authenication Change section. Please read the instructions carefully. You can also see them in the screenshot below.
Copy the new redirect URL as is.
Open your IdP and find the app registration for Haiilo. In Microsoft Entra ID, it would be as follows:
1. In your app registration for Haiilo on Microsoft Entra ID, select Authentication in the menu.
2. Select Add a platform > Web.
3. Paste the copied redirect URL from Haiilo in the Redirect URIs field.
4. Select Configure.

Changes to do: SAML authentication provider

If you're using a SAML authentication provider to access your platform, you need to make the following configuration changes: Add the new authentication endpoint URL to your IdP configuration in addition to the current one. The URL's name can vary from IdP to IdP; for instance, Microsoft calls it the Reply URL in their Entra ID configuration.

Additionally, if you are using global or federated logout, you need to add a new logout endpoint URL alongside a current one, and if you are using request signing, you need to add the new signing certificate in addition to the existing one.

To ensure a seamless transition, update your IdP configuration to include the new information, and keep the current information active as well. These are the steps involved for each change:

On Haiilo, go to Administration > Authentication.
Edit your authentication provider configuration. If you use multiple SAML authentication providers, you need to check each one individually.
Scroll down to the bottom of the configuration.
You'll see a new Important: Upcoming Authentication Change section. Please read the instructions carefully. You can also see them in the screenshot below. This section will be referenced as "Haiilo" in the following steps.
Open your IdP and find the app for Haiilo. In Microsoft Entra ID, it would be as follows:
1. In your app registration for Haiilo on Microsoft Entra ID, select Single sign-on in the menu.
2. New authentication endpoint URL update:
  1. In Haiilo, copy the new authentication endpoint URL as is.
  2. In Entra ID, in the Basic SAML Configuration section, select Edit.
  3. Under Reply URL (Assertion Consumer Service URL), select Add reply URL.
  4. Paste the copied authentication endpoint URL from Haiilo in the Redirect URIs field.
  5. Select Save.
3. Global/federated logout update (if in use):
  1. In Haiilo, copy the new logout endpoint URL as is.
  2. In Entra ID, in the Basic SAML Configuration section, select Edit.
  3. Scroll down to the Logout URL (Optional) section.
  4. Check if there is a previously set logout URL, as this one shouldn't be overwritten. If you already have a URL in place, please reach out to our Customer Support team for assistance. Do not paste the new URL in the field.
  5. If there is no current logout URL in the field, paste the logout endpoint URL from Haiilo into the Logout URL field.
  6. Select Save.
4. Request signing update (if in use):
  1. In Haiilo, select the Request Signing tab. You'll see another info box and an additional signing certificate generated by Haiilo. Going forward, you won't need to provide your own certificates – auto-generated certificates will be used instead.
  2. Copy the certificate from Haiilo.
  3. Open a new file on your computer and paste the certificate into the file.
  4. Save the file with the .cer file name extension. Microsoft Entra ID will only allow adding a new certificate as a file upload with this extension.
  5. In Entra ID, in the SAML Certificates section next to Verification certificates (optional), select Edit.
  6. Select Upload certificate and select the file you created with the certificate.
  7. Select Save.