Account Security

In this article, you'll learn about the tools and features that ensure your account security.

Contents

1. How does it work?
2. Multi-Factor Authentication (MFA)
3. Password Change
4. Account Activity Logs
5. Notifications
6. SAML Authentication

How does it work?

Account security can be managed in two places within the Voucherify Dashboard.

1. To manage your security settings, go to My Profile, and choose the Security tab.

2. As an administrator, you can also manage security in the Team Settings drop down option and enforce security settings for all account users in the Security tab.

Multi-Factor Authentication

The Account Owner can enforce Two-factor Authentication for logging into the Voucherify account. As a result, each logging attempt requires two forms of authentication. Voucherify supports text messages, Google Authenticator, and back-up codes as a second identification mechanism. Go here to learn more.

Password Change

To change your Voucherify password, go to My Profile and choose the Security tab. Click Change password.

Provide the current and new passwords. When ready, confirm with Change password. 

You are going to receive an email notification each time a password change is performed.

Account Activity Logs

To gain valuable insights into account activity, you may also monitor the account security logs. They are found under My Profile > Security tab.

Project logs

For more information about activity within a particular project, visit the Audit Log section in your Dashboard. The Audit Log presents detailed information on every interaction with the Voucherify API made within your project. It enables you to track requests coming from all origins including account users and customer's requests. Each log provides the request the was sent, the API response, and details including its status including information about related objects (campaign, order, and more). Read more. 

Notifications

Two types of notifications are displayed for the user.

• Project specific notifications - the settings for these are customizable (more details below)
• Account specific notifications - related to your subscription updates like trial expiration, credit card, etc.

Notifications are displayed in the Dashboard in two locations.

• Unread notifications - In the upper right section of the Dashboard, Click the bell icon

• Read and unread notifications - Click the bell icon, then click Go to Notification Center

Keep on reading below for more details on the Notification Center. 

Unread notifications

To access the unread notifications, click the bell icon.

You can Mark all as read, Reload to refresh the notifications, and Load more to display more unread notifications.

Here, the notifications are divided between three tabs:

• The Notifications tab lists notifications about your project.

  

  To display all your notifications, click  Go to Notification Center. You may need to scroll down to see this option displayed.

• The Account Notifications tab lists notifications related to account activity such as the start of a paid subscription or problems with processing a payment with a payment card.

  

  To display all account notifications, click on Go to Notification Center. You may need to scroll down to see this option displayed.

• The Background Tasks tab lists all processes that are currently running in the background, such as importing vouchers to a campaign or deleting a campaign to name a few.

  

  To display all background tasks, click on Go to whole list. To display the details for a given task, click Details. Read more here about background tasks.

Personalize notifications

You can personalize the notifications in two ways depending on the type of notifications you would like to customize. Click on the notification bell, choose either the Notifications or Account Notifications tab, click on  Go to Notification Center. Then choose either the Personal Settings or Account Settings tab.

Project specific notifications

You can customize project-specific notifications and decide what events should trigger notification via email or in-app message. Project-specific notifications are customizable and visible per user. Every user can configure which notifications to display for the current project.

In the Notification Center, click the  Personal Settings tab to personalize your project notifications. 

Next to each notification type, there is a drop down arrow Show details. Here you can turn the in-app and email notifications on/off using the toggle switch.

API Usage notifications

To enable new notifications, navigate to the Notifications Center > Account Settings and follow the steps below:

1. Click Show details next to the notifications you'd like to activate.
2. Define the % usage limit that triggers the notification.
3. Click Add email to define a receiver email address.
4. Confirm with Save.

SAML Authentication ^{Enterprise feature}

SAML (Security Assertion Markup Language) ensures easy and centralized access management to your business applications and resources. Voucherify enables account administrators to connect a custom SAML application and use it instead of the standard authentication process while logging in. As a result, your users can log into the Voucherify account using a single sign-on authentication process.

How to login using SAML

You should login by clicking on the application within your Identity Provider dashboard.

As a fallback, you can try navigating to your dedicated cluster, i.e. https://CLUSTER.app.voucherify.io/#/login/saml, or to https://app.voucherify.io/#/login/saml and entering your email address.

How to turn on SAML

The account administrator can enable and enforce SAML Authentication in the Team Settings > Security tab. 

Prerequisites

To connect the custom SAML application with Voucherify, you will need:

• Identity Provider EntryEndpoint URL (1) – in this field, provide the SAML URL where the identity provider sends the authentication token. 
• Identity Provider certificate (2) – electronic document copied from the identity provider settings and used to prove the ownership of a public key.

Optional configuration details:

• Provider Name (3) – the name of your identity provider, e.g., OneLogin, Auth0.
• Issuer (4) – stands for the EntityID (unique identifier) of the service provider. 
• Audience (5) – a value within the SAML assertion that specifies who (and who only) the assertion is intended for. The audience represents the service provider, usually by using a URL address that is validated when the request is received.

Encrypt SAML requests

To increase the security of your transactions, you can sign or encrypt both requests and responses in the SAML protocol:

• Sign SAML-Requests – add the private tenant key to sign SAML requests. You can also provide your own private/public key pair to sign requests from a specific connection.
• Decrypt SAML-Response – by default, the identity provider uses the private/public key pair assigned to your tenant to sign SAML responses or assertions. In the case of very specific scenarios, you might wish to provide your own key pair.

Recommended identity providers:

• Auth0
• OneLogin
• Okta
• AWS IAM

Auth0 Configuration

This tutorial shows the required steps to connect to the Auth0 Identity Provider.

Refer to the Auth0 documentation for more details here.

After logging into your Auth0 account, go through the following steps:

1. Go to Applications in the sidebar and click Create Application.



2. Enter the name, select the type of application (Regular Web Application), and click Create.

   

3. Make sure you are within the application you want to configure and scroll to the bottom of the Settings page and click Advanced Settings.

   

4. Choose the Endpoints tab and scroll down to the SAML section, and copy the SAML Protocol URL.



5. Log into your Voucherify account and go to Team Settings > Security tab. Enable the SAML Authentication and paste the copied URL in the Identity Provider EntryPoint URL field. 



You can also enforce SAML authentication within your Voucherify account. As a result, each user has to log in using a connected identity provider. 



Enforce

Turn on on Enforce only after first enabling SAML and verifying that it works properly.

6. Go back go to Auth0 and switch to the Certificates tab. Copy the Signing Certificate.

   

7. Go to Voucherify and click the Add certificate button.

8. 

   Paste the copied identity provider certificate and confirm with Save.

9. 

   Click Save to confirm SAML configuration.

10. 

    In response, you should see the Callback URL. Copy the link and go back to Auth0.

    

11. Go to the Settings in Auth0 and scroll down to the Application Login URIs section. Paste the copied callback URL in the Allowed Callback URLs field. Click Save Changes to confirm.

12. 

    Scroll up the page and go to the Addons tab, then click on the SAML2 Web App.

13. 

    In the Settings tab, after reviewing the details, scroll down and click Enable. Next, confirm your changes with Save.

    

You can now use the SAML Authentication to log into the Voucherify app using Auth0 as an identity provider. To log in, use the callback URL from Voucherify Team Settings > Security tab. 

OneLogin Configuration

This tutorial shows the required steps to connect OneLogin Identity Provider.

After logging into your OneLogin account, go through the following steps:

1. Go to the Applications tab and choose Add app button in the top right corner.

   

2. Use the search bar to browse SAML Custom Connector (Advanced) and click on its name to add the app.

   

3. You can define optional connector's details like name, icon, and description. Click Save and go to the Configuration tab.

4. Change  SAML encryption method to AES-128-CBC and confirm with Save. 

5. Go to the  SSO tab. Copy the  SAML 2.0 Endpoint (HTTP). 

6. Log into your Voucherify account, go to the Team Settings >  Security tab and enable the SAML Authentication. Paste the copied URL in the Identity Provider EntryPoint URL field. 

   You can also enforce SAML authentication within your Voucherify account. As a result, each user has to log in using a connected identity provider. 

   

   Enforce

   Turn on on Enforce only after first enabling SAML and verifying that it works properly.

7. Go back to OneLogin and click View Details below the Certificate.

8. Copy the X.509 Certificate.

9. Go back to Voucherify and click the Add Certificate button. Paste the copied certificate and confirm with Save.

10. Confirm SAML configuration with Save. In response, Voucherify shows you a Callback URL. Copy the URL and go back to the Configuration tab in OneLogin. 

11. Paste copied URL to  ACS (Consumer) URL field. Confirm with Save.

You can now use the SAML Authentication to log into the Voucherify app using OneLogin as an identity provider. To log in, use the callback URL from Voucherify Team Settings > Security tab.

Okta

This tutorial shows the required steps to connect to the Okta Identity Provider.

Refer to the Okta documentation for more details here.

After logging into your Okta account, go through the following steps:

1. Go to Applications in the sidebar and click Create App Integration.

   

2. Choose the SAML 2.0 sign-in method. Click Next.
3. In the General Settings step, input the application's name and, optionally, Voucherify’s logo. Click Next.

   

4. In the Configure SAML step, provide the following data to configure the integration.
   • Single sign on URL: You need to provide a dummy value to the Single Sign-On URL field at this point. This is because OKTA generates the Provider SSO URL after defining the application. The sign-on URL will be created in Voucherify based on the OKTA certificate and the Identity Provider Single Sign-On URL. We'll come back to substitute the dummy value at the end of the configuration (more on this in the steps below).
   • Audience URI (SP Entity ID): MUST be the same as the Audience in Voucherify. We define the Audience in Voucherify in this step.
   • Name ID format: MUST be set to EmailAddress.
   • Application username: MUST be set to Email.

   

5. Click Next. Provide feedback and click Finish to save the App Integration. You should be immediately redirected to the Settings tab for the application.
6. In the Settings tab, scroll down to the SAML Signing Certificates section, and click on View SAML setup instructions (located to the right).

   

7. Copy the Identity Provider Single Sign-On URL.

   

8. Log into your Voucherify account and go to Team Settings > Security tab. Enable the SAML Authentication and place the copied URL in the Identity Provider EntryPoint URL field.

   

   You can also enforce SAML authentication within your Voucherify account. As a result, each user has to log in using a connected identity provider. 

   

   Enforce

   Turn on on Enforce only after first enabling SAML and verifying that it works properly.

9. Go back to Okta and copy the X.509 Certificate.

   

10. Go to Voucherify and click the Add certificate button.

11. 

    Paste the copied identity provider certificate and confirm with Save.

    

12. In the Audience field, enter the same audience name as you have entered in the Audience URI (SP Entity ID) field while configuring the integration in Okta.

    

13. Click Save to confirm SAML configuration.

    

14. In response, Voucherify shows you a  Callback URL. Copy the URL and go back to the General tab in Okta.

    

15. Scroll down to the SAML Settings section and click Edit.

    

16. Click Next and paste the copied Callback URL from Voucherify into the Single sign on URL field in Okta. Click Next and Finish. 

    

17. Assign users to your newly created application by adding them in the Assignments tab in Okta.

You can now use the SAML Authentication to log into the Voucherify app using Okta as an identity provider. To log in, use the callback URL from Voucherify Team Settings > Security tab.