Nuxeo Online Services is being improved to enhance security. This page details what will happen, when, how you could be impacted and how to prepare for the change.
Authenticating Against Nuxeo Online Services
From your Browser - What Changes?
- To access Nuxeo Online Services, you need to enter your email address instead of your username in the login page. If you registered for a trial using Google, use the login with Google button.
- URL for the login page is changed to https://auth.nuxeo.com (instead of https://sso.nuxeo.com). If you cannot access it, check with your system administrator that the URL is whitelisted.
- Multi factor authentication is enforced. The multi-factor authentication section in this page provides further details.
From the Command Line - What Changes?
To use our APIs, for instance in the following cases:
- Registering an instance using nuxeoctl
- Mirroring artifacts using Nexus
- Triggering a Studio project release through the Nuxeo Online Services REST API
- Using a CI/CD chain with Maven
- Using the Nuxeo CLI commmands to import or export a Studio project configuration
- Using the Studio Designer Git Access
When authenticating, you need to provide your username (unchanged), and a token instead of a password (new). Refer to our token management documentation for further details.
Multi-factor authentication (MFA) is needed to authenticate.
If you have not set up your MFA yet, you will be able to set it up while logging in. This second factor will be requested once a week to authenticate.
When you log into Nuxeo Online Services using the browser, a second authentication factor will be requested to enhance your account security.
These factors can be one of the following:
- Code provided by a smartphone application (most secure)
- Voice call to a phone number
- SMS sent to a phone number (less secure)
Multi-Factor Authentication FAQ
Who is Impacted by the Change?
This change only applies to people using Nuxeo Studio and Nuxeo Marketplace (called developers from here on). It won't have any effect on people working every day in your Nuxeo Server instance, even if this instance is hosted in Nuxeo Cloud.
Can you Provide a Summary of the Change?
When authenticating into Nuxeo Studio or Nuxeo Marketplace, developers are requested to set up a second authentication factor using their phone.
The second factor setup is requested if it is not done yet, then it is asked once a week during authentication.
What is a Token?
A token is a randomly generated string that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but would rather avoid to disclose it: for instance in configuration files.
Feel free to check our token management documentation for further details.
Do I Need a Particular Hotfix for These Changes?
No hotfix is required.
Latest hotfixes and tool versions only pack additional help to mention tokens instead of passwords when needed, starting from the following versions:
These changes are only visual to clarify how our new authentication system works and have no functional impact.
I'm Using an Unsupported Nuxeo Server Version. Should I Be Concerned?
The same applies for formerly supported releases: no need for code change. Authentication against Nuxeo Online Services when using our command line tools and APIs will have to be done using tokens instead of passwords.
Why Make These Changes?
Nuxeo is partnering with Okta, an industry leader around authentication security to bring these changes. They are made as part of our continuous effort to improve security and bring several benefits:
- Storage decoupling: Your password will be stored by our partner Okta. This ensures it benefits from even better protection.
- Stronger authentication system: Partnering with Okta allows us to provide new features to secure your account, like multi-factor authentication.
- Single Sign-On: Signing into Your Nuxeo Online Services account will allow you to access our different services seamlessly, without being prompted for credentials again.