What is the Beamery Auth0 user login migration?
How will Beamery change for my users after migrating?
Why are we making this change?
When will my Beamery account be migrated to Auth0 for user login?
What is the process for migration? (SSO-customers)
What is the process for migration (email+password-login-only customers)?
Does this technical change require contractual changes?
What information will Auth0 have access to?
Can I elect to remain on the existing login solution?
How does SSO work with Beamery and Auth0
Does this change impact our Beamery API integrations?
What is the Beamery Auth0 user login migration?
Beamery is migrating from our current proprietary user authentication solution to a new-and-improved solution powered by Auth0.
How will Beamery change for my users after migrating?
For now, most of the changes will be behind the scenes, however there will be subtle changes to the user interface for logging in. All existing URLs will keep working, and there will be no significant changes to workflow required.
Why are we making this change?
Auth0 is a leading identity platform that’s maintained by dedicated security experts. This allows us to offer even stronger, standards-based authentication that evolves in step with the latest security protocols and best practices.
This change is also a step towards us offering more features to enhance the security and ease-of-use for the product, e.g. multi-factor authentication, simplified user provisioning, and idle session timeout.
When will my Beamery account be migrated to Auth0 for user login?
The new solution is still in the final stages of QA. Soon we’ll be reaching out to customers to arrange their migration to the new solution. Our goal is to migrate all customers before the end of October this year.
What is the process for migration? (SSO-customers)
The migration will require you to configure your identity provider with our new service provider metadata.
We’ll offer a choice of two options for how the migration is carried out.
Option 1 – Test in parallel (recommended)
This option involves creating a second active SSO connection for Beamery, which allows the migration to be completed with no downtime for your users:
- New metadata - For both sandbox and prod, we will provide you with a metadata URL for our new service provider, which will serve our new Entity ID, service provider signing/encryption certificate, and ACS (Assertion Consumer Service) URL
- Create new SSO connections – Your IT team will add the new connections in your identity provider alongside the existing ones.
- Test the new connection – You may test login via the new connection at any time without impacting your existing setup. You can either log in directly from your Identity Provider or by visiting [beamery-domain]/login?auth0=true (URL subject to change).
- Switch over by deadline – We’ll agree a deadline for making Auth0 the default login method. You should complete any testing before this date. Once the cutover happens, the old connection will be disabled.
- Support available – Since both connections run in parallel, no downtime or coordinated configuration changes are required, however we’re happy to join you on a call to make this change if required.
Option 2 – Single connection (coordinated cutover)
If your identity provider only supports a single active SSO connection for Beamery, the migration will require a coordinated change and a short planned downtime for logins:
- New metadata – For both sandbox and prod, we will provide you with a metadata URL for our new service provider, which will serve our new Entity ID, service provider signing/encryption certificate, and ACS (Assertion Consumer Service) URL.
- Update existing connection – Your IT team will replace the old configuration in your identity provider with the new details. Immediately after this change, we updated our configuration to route your logins to the new service. This change must be coordinated to ensure continued access.
- Two-step migration – We will arrange two coordinated calls with your IT team: one to migrate sandbox, and another (around a week later) to migrate production.
-
Planned downtime – For the time in-between the configuration change on your side and the corresponding change on ours, user login will be unavailable. This is likely to be just a few minutes, but for contingency we recommend scheduling for 30 minutes downtime. Users who are already logged in will be unaffected and can continue using Beamery without interruption.
Scenario Process Summary Coordination Required Downtime Notes Test in parallel 1. Beamery provides new SAML metadata for sandbox & production.
2. Customer creates a new SSO connection alongside the existing one.
3. Test new connection.
4. Agree to a cutover date; Beamery disables old connection.
5. Recommended: set up both environments together.No coordinated call required (Beamery can join if preferred). None — old and new connections run in parallel until cutover.
Most flexible migration path; allows testing before switching. Single connection 1. Beamery provides new SAML metadata for sandbox & production.
2. IdP updated in place to use new details.
3. Beamery performs synchronized change.
4. Sandbox migration first, then production a week later.Two coordinated calls (sandbox, then production). Brief login downtime during cutover (plan for up to 30 mins). Users already logged in remain unaffected. Requires tighter coordination; downtime window will likely be much shorter but plan for 30 minutes for safety.
What is the process for migration (email+password-login-only customers)?
There will be no need for any coordinated configuration changes. We will notify you when your account is scheduled to be migrated, and perform the migration on our side, with no need for any changes on yours.
Does this technical change require contractual changes?
Auth0 is already included on Beamery's Subprocessor List from 2024 therefore rolling out this new authentication solution will not involve any contractual changes or additional data privacy notifications.
What information will Auth0 have access to?
For customers using Single Sign-On (SSO), your organization remains the source of truth for user login details — we never see your password. For customers who log in directly using email and password, we use Auth0 to securely manage login credentials, with passwords encrypted and stored following industry best practices.
In both cases, Auth0 stores basic user profile information such as email address, login history, and each user’s Beamery role (e.g. Marking Admin, Sourcing Standard). This information is only ever used to support secure authentication and authorization within our platform.
Can I elect to remain on the existing login solution?
We’re moving all customers to our new login system powered by Auth0 to ensure consistent security standards and simplify ongoing support. Our plan is to fully retire the existing solution, so continuing with this won’t be possible. This change enables us to offer a more secure and reliable authentication experience across the board.
How does SSO work with Beamery and Auth0
Beamery will continue to support both service-provider and identity-provider initiated SAML login. For the sake of demonstration, the following sequence diagram demonstrates the process for a service-provider initiated login with Beamery’s new Auth0-powered authentication solution:
Does this change impact our Beamery API integrations?
This migration only affects user logins, and integrations authenticating with basic auth will not be disrupted.
While we do now offer OAuth 2.0 authentication for our API, we don’t currently have plans to deprecate basic auth.
Please see our documentation on this if you’re interested in moving to OAuth for integration anyway to benefit from the security benefits that this brings: https://frontier.beamery.com/swagger-ui/#how-to-authenticate.