Authentication¶
N-Hub uses OpenID Connect (OIDC) for all user authentication, powered by a dedicated identity provider.
Authentication Methods¶
Federated Identity (Recommended)¶
If your organization uses Microsoft Entra ID (Azure AD) or Google Workspace, your users can sign in with their existing corporate credentials. No separate passwords to manage.
Setup: See Azure AD Setup for configuration instructions.
Local Accounts¶
For organizations without a corporate identity provider, local user accounts can be created in the platform's identity system. Users authenticate with email and password, with optional multi-factor authentication.
How Sign-In Works¶
sequenceDiagram
participant User
participant Portal
participant IdP as Identity Provider
participant Corp as Corporate IdP<br/>(Azure AD / Google)
User->>Portal: Click Sign In
Portal->>IdP: Redirect to login
alt Corporate SSO
IdP->>Corp: Redirect to corporate login
Corp-->>IdP: Authentication + user claims
else Local Account
IdP->>IdP: Email + password + optional MFA
end
IdP-->>Portal: OIDC token issued
Portal-->>User: Authenticated session- User clicks Sign In on the portal
- Redirected to the identity provider login page
- Chooses their identity provider (or enters local credentials)
- After authentication, an OIDC token is issued
- User is redirected back to the portal as an authenticated user
API Authentication¶
For programmatic access to the REST API:
Personal Access Tokens (PAT)¶
Personal access tokens are long-lived credentials for API access. Include the token in the Authorization header:
JWT (Machine-to-Machine)¶
For service-to-service integrations, the identity provider can issue JWTs via the OAuth 2.0 client credentials flow. Contact your administrator to set up a service account.
Session Authentication¶
Browser-based access through the portal uses session cookies. This is handled automatically when you sign in through the web interface.
User Roles¶
| Role | Description |
|---|---|
| Manager | Administrative access for your organization |
| Operator | View data, manage devices, run operational tasks |
| Viewer | Read-only access to data and dashboards |
Roles are assigned by your organization's administrator or during onboarding.
Security Features¶
- Multi-factor authentication (MFA) — can be enforced per organization
- Time-bound access — user accounts can have start and end dates
- Domain validation — only users from registered email domains can access the platform
- Session management — sessions expire after inactivity; forced logout available for administrators
Troubleshooting¶
Signup is closed
Your email domain hasn't been registered. Contact your administrator to add your domain.
User not found
Your user account hasn't been created in the identity system. Contact your administrator to create an account.
Can't access after login
You've authenticated but your account may not be assigned to an organization. Contact your administrator to verify your domain-to-enterprise mapping.