Authentication Setup Guide¶
Guidance¶
The members you invite to use the GenStudio workspace need to authenticate themselves when they initially sign up and when they later sign in. You can choose one or more allowed methods that are consistent with the way users normally identify themselves in your organization. Enterprise Single Sign On (SSO) methods are available in advanced plans.
On the Security page you can enable any combination of four sign-in methods — Email & Password, Google, Microsoft, and Passkey. At least one method must remain enabled at all times.
Google Authentication¶
If your organization has assigned IDs to your team such as Jane.Doe@yourcompany.com then you should use one (and just one) of our SSO methods. If your organization is a Google Workspace user then choose “Google” as an allowed authentication method.
Microsoft Authentication¶
Choose “Microsoft” if your organization uses Microsoft’s enterprise Azure AD (Active Directory) authentication service (now being renamed Microsoft Entra ID). This usually applies to business or academic deployments of Microsoft oriented SSO. Do not confuse this with the Microsoft individual consumer authentication method called “Microsoft Account” assigned to individuals when they sign up for Outlook.com, Microsoft 365, Xbox, etc.
With Azure Active Directory, Microsoft provides the identity platform as a service but you can modify some of the configuration and settings, such as adding your own custom domain name (to get @yourcompany.com) or requiring multi-factor authentication. Your Azure Active Directory instance is available via the Azure Portal and other management tools like PowerShell, the Azure CLI and the REST API.
Passkey Authentication¶
A passkey lets members sign in without a password, using the same device unlock they already rely on — a fingerprint, face scan, screen-lock PIN, or a hardware security key. Passkeys are built on the WebAuthn standard and are resistant to phishing and password reuse. Enable Passkey to let members register a passkey and use it to sign in, and members can manage their registered passkeys from their own security settings. Passkey can be offered on its own or alongside your other allowed methods.
Pick One SSO¶
If yours is a Google workspace shop, pick Google authentication. If yours is a Microsoft identity service shop, pick Microsoft. This is the “Single” in SSO. It is the way you would primarily want members to sign in and sign up.
Alternate Authentication¶
If you do not have any single source of identity, or use a method we do not support (contact us and let us know) then you might choose multiple methods or all methods for authentication. Or if members will join your GenStudio workspace who are not part of your regular organization you will need to choose alternative authentication methods for them to use.
Generally, if your organization uses Microsoft Azure AD, you might choose email or email and Google as supported authentication. If your organization uses Google authentication, you might add email to allowed options.
One downside to allowing alternative authentication methods is that some of your organization members might become confused and try to sign in with an alternative method. You might find it easier to manage allowing only your primary authentication method and providing identities (email addresses) to outside users you invite to your workspace.
TL;DR
- Email & Password: Useful for 3rd party users or for heterogeneous teams.
- Microsoft: The primary choice for organizations with enterprise Microsoft (Azure AD / Entra ID) authentication.
- Google: Useful for 3rd party users, heterogeneous teams, or organizations using Google Workspace.
- Passkey: Passwordless, phishing-resistant sign-in using a device unlock or security key.