Authentication
This guide explains how to control who can access your portal and what content they can see. DistiForge gives you four authentication options, from fully open public access to enterprise Single Sign-On, and a flexible confidentiality system so you can show the right content to the right people.
Choosing an Authentication Method
Navigate to Settings > Authentication to configure how visitors log into your portal. You can only have one active authentication method at a time.
The four options are:
Public Access
Open product catalogs, no login required
Shared Password
Simple access control with a single shared code
Magic Link
Email-based login, useful for partner and customer portals
Single Sign-On (SSO)
Enterprise portals using Okta, Azure AD, Auth0, or similar
With Public Access, anyone who visits your portal URL can browse it immediately - no login, no password. All visitors are treated as public-level users and can only see content tagged as Public.
This is ideal for outward-facing product catalogs where you want zero friction for prospective customers.
Setting up Public Access
That's it. Your portal is now open to anyone with the link.
The Shared Password method requires visitors to enter an access code before they can view the portal. You set one password and share it with whoever should have access. Everyone who enters correctly gets the same level of access.
This is a good fit for simple use cases — for example, giving all of your distributors access to internal product specs without requiring individual accounts.
Setting up a Shared Password
Visitors will see a password prompt when they open the portal. After entering the correct code, they can access all content up to the levels you have configured.
To change the password at any time, return to this screen and enter a new code.
Magic Link gives your visitors a personal, passwordless login experience. A user enters their email address on the portal login screen, and DistiForge sends them a one-time sign-in link. Clicking the link logs them in, no password to remember.
The powerful part is domain-based access rules: you can map specific email domains to specific confidentiality levels. For example:
Anyone with a
@partner.comemail gets Internal accessAnyone with a
@bigcustomer.comemail gets Public access onlyA wildcard rule catches everyone else
This lets you run a single portal that automatically grants different tiers of access based on the visitor's email domain.
Setting up Magic Link
Go to Settings > Authentication.
Select Magic Link.
Click Add Domain Rule to configure your first rule.
Configure the Rule: Enter the email domain (for example, partner.com) and select the confidentiality levels that domain should unlock.
Add additional domain rules as needed.
To create a catch-all rule for any domain not explicitly listed, add a rule with * as the domain and set the access level you want (usually Public only).
Click Save.
How the magic link email works
When a visitor enters their email and requests a link, DistiForge sends an email with a secure, single-use link that expires after a short time. Clicking the link signs them in. If the link has expired, they can request a new one.
Users who sign in via Magic Link are automatically added as members of your portal. You can see and manage them from Authentification > Users.
Single Sign-On (SSO)
SSO lets your visitors log in with their existing corporate identity — through Okta, Microsoft Azure AD, Auth0, Google Workspace, or any other provider that supports the standard OIDC (OpenID Connect) protocol.
With SSO enabled, visitors are redirected to your company's login page. After authenticating there, they are returned to the portal automatically. ProductIQ can read the groups that your Identity Provider assigns to the user and map those groups to confidentiality levels.
What you will need from your Identity Provider
Before configuring SSO in DistiForge, you (or your IT team) will need to register DistiForge as an application in your Identity Provider. This typically involves:
Creating an application or client in your IdP's admin console
Setting the redirect URL to the value shown in ProductIQ's SSO settings screen
Noting the Issuer URL, Client ID, and Client Secret that your IdP generates
Setting up SSO
Fill in the configuration fields
Fill in the SSO configuration fields:
Issuer URL — The URL that identifies your Identity Provider. Your IdP documentation will list this. For example, Okta issuers look like
https://yourcompany.okta.com. Azure AD issuers look likehttps://login.microsoftonline.com/your-tenant-id/v2.0.Client ID — The application or client ID generated when you registered ProductIQ in your IdP.
Client Secret — The secret key generated alongside the Client ID.
Scopes — The permissions ProductIQ should request. The required scopes are
openid,email, andprofile. If you want to use group-based access rules, you may also needgroupsor a similar scope — check your IdP's documentation.
Claims Mapping
Content Access Rules
Map IdP groups to the content levels they can access. Users not matching any rule see Public content only. Choose between Public, NDA and Internal.
Users who belong to multiple groups receive the combined access of all matching mappings (the highest level any of their groups grants them).
SSO users are automatically added as members of your portal on first sign-in. You can see and manage them from Authentication > Users.
Switching Between Authentication Methods
You can change your authentication method at any time from Settings > Authentication. Simply select the new method, configure its settings, and save.
Keep in mind:
Switching methods immediately affects new login attempts. Existing active sessions remain valid until they expire.
If you switch away from Magic Link or SSO, any portal members who joined via those methods will remain in the member list but will no longer be able to log in via their original method.
Test your new authentication setup before announcing the change to users.
How Authentication and Confidentiality Work Together
When a user logs in, DistiForge determines which confidentiality levels they are allowed to see based on their authentication method and any applicable rules:
A public visitor sees only Public content.
A password user sees the levels you configured for that password.
A magic link user sees the levels mapped to their email domain.
An SSO user sees the levels mapped to their IdP groups.
A member with an override sees the levels an admin has granted them directly (see the Members guide for details).
The AI assistant, product search, and all portal features automatically respect these access levels — users only ever see content they are allowed to access.
Last updated