Identity
Updated July 2026
Set up secure workspace access.
Email/password users verify with an authenticator. Teams can add SAML SSO, session limits, and directory provisioning.
01
How sign-in works
| Email and password | Every user must verify a six-digit code from an authenticator app before entering the product. |
|---|---|
| Company SSO | A configured SAML identity provider can handle sign-in for an allowed company domain. Enforce MFA in the identity provider; Embrasure does not add a second authenticator prompt to an SSO session. |
| Session length | Workspace admins choose a maximum lifetime measured from the original sign-in. It is not an inactivity timer. |
02
Rollout order
- Create the workspace and enroll the owner’s authenticator when prompted.
- Invite a second administrator and confirm that both administrators can sign in before changing company-wide controls.
- Open Settings, Admin, then Sign-in. Add the company email domains and choose the maximum session length.
- If using SSO, enforce MFA at the identity provider. Register it in Embrasure but leave Require SSO off for the first test.
- Enable Require SSO only after the test passes. Keep an existing admin browser open so a bad provider configuration can be corrected.
- Use Google Workspace directory sync or SCIM to manage membership. Start with a small pilot group.
SSO controls sign-in; directory sync and SCIM control membership and roles. See the SCIM guide for provisioning details.
03
Authenticator setup and recovery
After signing in, open Settings → Account security and add a backup authenticator on a separate device or in a password manager. Embrasure prevents removal of the last verified authenticator.
If every authenticator is lost, contact support@embrasure.ai. Recovery requires account-ownership verification and signs out existing sessions.