Sign-in options

Each tenant decides how its members sign in. Ember’s identity layer is provider agnostic, so you are not tied to any single vendor. You configure one or more sign-in methods, and your members use whichever you enable.

Available methods

Email and password. The default. Members set a password and can reset it by email.
Google. Members sign in with their Google account.
Apple. Members sign in with their Apple ID.
Generic OpenID Connect. Connect any standards-compliant OIDC provider, which covers most school identity systems.

SAML support is planned for a later release. If your institution requires SAML, tell us during setup so we can advise on timing.

Configure a method

Open the Admin area and choose Sign-in.
Select Add method and pick the provider.
Enter the provider’s details. For OIDC this includes the issuer URL, client ID, and client secret.
Save. Ember stores your client secret encrypted at rest.

How external identities link to accounts

The first time a member signs in through an external provider such as Google, Ember links that verified identity to their tenant account. After that first link, sign-in is automatic. Ember never links identities silently before that first verified sign-in, which prevents account takeover through an unverified email match.

Security notes

Client secrets are encrypted at rest using a quantum-resistant symmetric cipher. Members of your tenant cannot use their credentials to access any other tenant or the public commons. Access within the tenant is governed entirely by permissions, so you control exactly what each role can do.

Was this helpful?

PreviousManage members and roles NextData and retention