You can add authentication requirements to your sites to protect sensitive content.
Zoomforth provides a number of ways to restrict access to private sites, including email authentication, password authentication, multi-factor, and SAML identification to authenticate with existing internal corporate networks.
Watch the video below, or continue reading this article to better understand the implications of these privacy settings and how to control access to your sites:
Sections In This Article
- Public Sites
- Private Site using a Password
- Private Site using Approved Emails
- Private Site using Multi-Factor
- Private Site with SAML
A public site can be viewed by anyone once it has been published. This means that if you share a link with a specific person, and they pass the link on to a third person, that third person will be able to view your site.
To see if your site is public goto the Visitor Access tab in the Site Details View.
If "Public" is selected, the site can be accessed by anyone. You have the option of disabling search engines from crawling sites whose authentication is set to 'public.'
Private Site using a Password
A site with Password Authentication will allow the site to be viewed by anyone who enters the correct password.
To make a site use password authentication, select that choice in the Visitor Access tab. The first time you select this for each site, you will need to choose a password. You can then choose to view or change the site's password.
Setting a password, either for the first time or changing it once it has been set:
Once a password is set, you can choose to view it or change it
Viewing the password allows you to copy it to send to people
When a password for a site is changed, any old site passwords will no longer work. If people have an older site password, and they need access, they will have to have the new password sent to them.
Although a password does provide a layer of security, it is not recommended for protecting very sensitive content. Because the password needs to be communicated to the viewer, there is a risk that it could get passed along to other parties. For high-security sites, Zoomforth recommends Email Authentication.
Private Site using Approved Emails
A site with Approved Emails authentication will only allow visitors to view a site after they confirm that they have access to an email or domain that you have explicitly allowed.
To make a site use Approved Emails authentication, select that option from among the other choices in the tab.
Initially, only other users in your Zoomforth account will be able to visit the site.
To allow specific people outside of your Zoomforth account to have access you must specify additional users by adding their email address or their email address' domain.
Multiple emails can be added at the same time, by adding a comma between each email.
You can tick the Send Invitations box so that users will receive an email notification with a link to view the site.
You can also allow any email from an entire domain.
What does the visitor experience?
If a site is using email authentication, then whenever anyone visits it they will be presented with a screen that asks for their email. When they enter their email, if they are on the list they will receive an email that gives them a temporary and secure link to visit the site. This link is cryptographically secure and expires after 24 hours of not being used. If they aren't on the list, they will not be permitted to view the site.
If the Send Invitation box was ticked when adding the user's email address, they will receive the following notification via email:
The subject will be "You have been invited to view a site" and the "From" field will be your domain. When they click "View Site", they will be taken to the site, which will now load for them.
Once a viewer has visited a site on their computer using email authentication, they will not need to go through this process again unless they clear the cookies in their browser, or until the cookies have expired (which occurs 6-7 days after their last site visit).
To remove someone's permission to view a site, you can simply remove their email address from the list of approved email addresses.
Private Site with Multi-Factor
A site with Multi-Factor authentication will only allow visitors to view a site after they confirm that they have access to an email or domain that you have explicitly allowed AND after entering the code from the enrolled device.
For more information about MFA, you can check Understanding Multifactor Authentication (MFA)
Private Site with SAML
Enterprise customers may integrate their Zoomforth account with SAML. SAML allows employees to access private sites that were shared with the company network and can be used to grant Zoomforth users Single Sign-On.
SAML is an industry-standard, XML-based, open data format for exchanging authentication and authorization data between parties.
How does it work?
To set a site to use SAML for authentication, select that choice from the site privacy tab for that site:
In order to see this option, the account you are using will need to have SAML configured with a Single Sign-on portal.
Once SAML is selected for a site then whenever a visitor visits it, then if they are already logged in to their Single Sign-on account, they will be able to directly access the site. Otherwise, they will be redirected to the Single Sign-on portal. Once they have logged in there, they will be redirected back to the site.
Unless the visitor can successfully log into the SSO portal, they will not be able to visit the site.
As an example, we use Google Apps here at Zoomforth as a SSO portal for our SAML integration, so when we visit SAML protected sites from within our account, this is what we see:
Once we fill that in, we are redirected back to the site.
If you do not have a SAML login option and would like to add one and allow for Single Sign-on integration via SAML with Zoomforth, please contact us at email@example.com.
Do visitors need to log in each time?
Once a visitor has authenticated using one of the above methods, they don't need to do it again for that site (unless they access the site from a different computer). They should be able to reload the site, for example, and the site should reload without demanding authorization again.
Some browsers are set to handle cookies differently -- maximum security settings on IE, for example, will not even accept cookies for domains that have not been explicitly allowed. This means that with those high-security settings, some viewers of a private Zoomforth site will not be remembered between sessions, because we have no way of keeping track of them due to their browser settings.
So in general, for the vast majority of viewers, Zoomforth will automatically recognize viewers who have already authenticated. For some users, their cookie settings may be very strict, and they will need to re-authenticate each time.