Credential Management

There are different ways to authenticate to Mailsac services depending on the service being consumed.

Password Change

An account password can be changed on the Website under Manage Account Details. If you have forgotten your password use the Password Reset Form to send a password reset email.

Team users will need to contact the Primary Account Holder to reset their password.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) can be enabled on the account to add an additional layer of security to the account. MFA can be enabled from the Manage Account Details page on the Dashboard.

../../../_images/dashboard_account_manage_mfa.png

Enable Multi-Factor Authentication (MFA)

Select “Generate MFA” to generate a QR code that can be scanned by an MFA application such as Google Authenticator or Authy. A secret key is also provided that can be entered into the MFA application if the QR code cannot be scanned. Recovery codes are provided that can be used to access the account if the MFA device is lost.

../../../_images/mfa_configuration.png

MFA Configuration

You will prompted to confirm MFA is working by entering a code from the MFA application. After confirming MFA is working, MFA will be enabled on the account.

You can also disable MFA from the Manage Account Details page.

API Key Management

API keys are used to authenticate to the REST API, Email Capture, POP3.

API Keys can be created , regenerated, and deleted in the API Keys and Users section of the Dashboard.

Multiple API Keys

For accounts on Business or Enterprise plans, multiple API keys may be created, each with a unique name.

Having multiple API keys enables:

  • restricted access control

  • usage monitoring

  • separate API Keys for different testing environments

To create an API key, go to API Keys and Users and select “Manage Keys” from the Dashboard. Enter a name for the API Key and select Generate new API key. API Keys may only be viewed once and are not retrievable by the system. API Keys should be treated with the same security considerations as a password.

../../../_images/add_named_key.png

Create new API key

Team Users

Team user accounts may access a subset of Mailsac functionality: almost everything except managing the account, billing, and API keys or user logins. The team users feature is available on Business and Enterprise Plans. If a team user needs to access account management features, the root account can allow temporary elevation to a root account session.

A team user’s password serves both as the password to the Mailsac.com website and the REST API.

Create Team User

Team users can be created from the Dashboard under API Keys and Users by selecting “Manage Users”

../../../_images/create_user_login.png

Create Team User Login

The password for the user login is automatically created. It can only be viewed once.

../../../_images/user_login_credentials.png

User Login Credentials

When logged into the website using a team user login, the user session is restricted from:

  • viewing and modifying payment information

  • adding or removing API keys

  • managing account features

  • adding or removing custom domains

The root account can allow selected team users to temporarily elevate to a root account session when they need to perform account administration.

Login Using a Team User

Use the Team User Login to sign into Mailsac as a team user.

  • Primary Account ID: The primary account name used to sign up for Mailsac

  • User Name: The name of the user login

  • Password: The password for the user

../../../_images/login_using_sub_account_user.png

Login using a Team User.

Allow a Team User to Elevate to Root

Root elevation lets an approved team user replace their current browser session with a root account session. A root account session has full account permissions, including access to billing, user management, API keys, custom domains, and other sensitive account settings.

Root elevation is disabled by default and can only be enabled for team users. It is not available for API keys that are only used for REST API access.

To allow a team user to elevate:

  1. Sign in as the root account.

  2. Open API Keys and Users from the Dashboard.

  3. Select “Manage Users”.

  4. Select “Edit” then “Manage” next to the team user login.

  5. Enable “Allow this team user to elevate to root”.

  6. Select “Save”.

After elevation is enabled, the team user can elevate from the website:

  1. Sign in with the Team User Login.

  2. Select “Elevate to Root User” from the dashboard sidebar, or go directly to Elevate to Root.

  3. Re-enter the team user password.

  4. If MFA is enabled for the team user, enter the MFA/TOTP code.

  5. Select “Elevate to Root”.

After a successful elevation, Mailsac redirects the browser to the dashboard with root account permissions. To return to a restricted team user session, log out and sign in again using the team user login.

Only enable elevation for team users who are trusted with full account access. Successful root elevations are recorded in the account audit log.

Reset Team User Password

Team User passwords are generated automatically because they also serve as an API key. In order to reset the Team password the user can be recreated by selecting “Regenerate Password”. This can be done from API Keys and Users

../../../_images/regenerate_sub_account_password.png

Regenerate team user password.

Remove Team User

Team users can can be removed by clicking on the “Delete” button next to the user login on the API Keys and Users page.

../../../_images/remove_sub_account.png

Remove Team user.

SAML/SSO Integration

SAML provides a way for team users to authenticate using a third party identity provider. Mailsac has been tested with Okta, Google Workspace, and Microsoft Entra. Other SAML identity providers may work since SAML is based on a standard framework.

SAML Setup

Select SAML/SSO from the Dashboard. Then click the button “Generate SAML Service Provider”.

../../../_images/generate_saml.png

Generate SAML Service Provider

The next screen will contain “Service Provider Info”, which will be required by your identity provider. The section “Identity Provider Settings” will be filled in with information generated by your identity provider.

../../../_images/saml_sso_settings.png

SAML/SSO Settings

The process for configuring your identity provider will vary depending on the identity provider.

Adding SAML Users

In order to login using SSO a team user must be created with a username that matches the name ID returned from the SAML SSO provider. This is typically the username used to authenticate to the identity provider.

After the user is added as a team account user they will be able to login using SAML SSO.

../../../_images/saml_sub_account.png

Add a team user with the same name as returned by the identity provider

Removing SAML SSO Users

SAML SSO team users can be removed by clicking on the “Delete” button next to the user login on the API Keys and Users page.

Login as a SAML SSO User

The SSO login page, which can be accessed directly or found via the Standard Login, is used for SAML SSO logins.

../../../_images/sso_standard_login.png

Select “SSO Login” to login using SSO

Enter the Primary Account ID, which is the Mailsac username used to configure SAML SSO, and the SSO email or User ID of the SSO user. Select “Generate SSO link” to be redirected to the SSO provider’s login page.

../../../_images/saml_login_page.png

Enter primary Mailsac account ID and SSO email or User ID and select “Generate SSO link”

Once the identity provider has authenticated the user, the user will be redirected back the Dashboard completing the SAML SSO login process.