Identity

Updated July 2026

Set up secure workspace access.

Email/password users verify with an authenticator. Teams can add SAML SSO, session limits, and directory provisioning.

01

How sign-in works

Email and passwordEvery user must verify a six-digit code from an authenticator app before entering the product.
Company SSOA configured SAML identity provider can handle sign-in for an allowed company domain. Enforce MFA in the identity provider; Embrasure does not add a second authenticator prompt to an SSO session.
Session lengthWorkspace admins choose a maximum lifetime measured from the original sign-in. It is not an inactivity timer.

02

Rollout order

  • Create the workspace and enroll the owner’s authenticator when prompted.
  • Invite a second administrator and confirm that both administrators can sign in before changing company-wide controls.
  • Open Settings, Admin, then Sign-in. Add the company email domains and choose the maximum session length.
  • If using SSO, enforce MFA at the identity provider. Register it in Embrasure but leave Require SSO off for the first test.
  • Enable Require SSO only after the test passes. Keep an existing admin browser open so a bad provider configuration can be corrected.
  • Use Google Workspace directory sync or SCIM to manage membership. Start with a small pilot group.

SSO controls sign-in; directory sync and SCIM control membership and roles. See the SCIM guide for provisioning details.

03

Authenticator setup and recovery

After signing in, open Settings → Account security and add a backup authenticator on a separate device or in a password manager. Embrasure prevents removal of the last verified authenticator.

If every authenticator is lost, contact support@embrasure.ai. Recovery requires account-ownership verification and signs out existing sessions.