---
title: "Set up End-User Authentication"
slug: "whatfix-end-user-sso"
updated: 2026-05-21T10:37:41Z
published: 2026-05-21T10:37:41Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.whatfix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up End-User Authentication

#### Overview

Whatfix enables your organization to deliver content with End-user authentication. If you have deployed Whatfix Content on your application, the End-user authentication feature prompts your end users to authenticate themselves with valid credentials using your organization’s Single Sign-on (SSO). Only Account Managers can enable end-user authentication. For more information, see [Whatfix Single Sign-on](/studio/docs/whatfix-single-sign-on).

Here’s an overview of End user authentication (EUA).

[Embedded content](https://player.vimeo.com/video/1193973363)

> [!NOTE]
> Info:
> 
> Expand the following accordions for more details.

#### Know how End-User SSO works

When an end user lands on the application, a network of calls occurs in the background. The following image illustrates the process that begins when the end user accesses the application from a browser:

![](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Whatfix End User SSO(1).png)

The following steps outline the process shown in the preceding process image when an end user requests Whatfix content in an application integrated with End-User SSO:

**Step 1: End user Requests Whatfix Content**

The end user accesses your application and requests Whatfix content. Their browser sends a request to the [Whatfix Content Delivery Network (CDN)](/studio/docs/where-does-whatfix-host-content-created-for-my-application).

**Step 2: CDN Initiates Authentication Request**

The CDN detects that End-User SSO is enabled and triggers an authentication flow. It redirects the end user’s browser to the Whatfix API Service to initiate a [SAML request](/studio/docs/enable-saml-response-encryption).

**Step 3: API Service Redirects to Identity Provider**

The Whatfix API Service generates a SAML request and redirects the end user’s browser to your organization’s Identity Provider (IdP) for authentication.

**Step 4: User Authenticates with Identity Provider**

The end user signs in with their organization’s SSO credentials and the IdP verifies the end user’s identity.

**Step 5: Identity Provider Returns Authentication Response**

Upon successful authentication, your IdP sends a SAML response back to the user’s browser, which then redirects the response to the Whatfix API Service.

**Step 6: API Service Validates Authentication**

The Whatfix API Service validates the SAML request, confirming the end user’s identity and extracting relevant user attributes (such as email, department, role, and more) if defined in the Whatfix dashboard.

**Step 7: Security Context is Set**

The API Service sets a secure authentication cookie (valid up to 45 days) in the end user’s browser, establishing a security context for future content access.

**Step 8: Content is Delivered**

The end user’s browser re-contacts the CDN, presenting the secure cookie. The CDN verifies the authentication and securely delivers the requested Whatfix content.

**Best Practices**

- **Whitelist SSO authentication tabs from the host application:** Ensure your IT team whitelists authentication tabs for the application (for example, Salesforce or Workday) so that the SSO authentication window is not blocked by the browser.
- **Use a consistent SSO configuration:** Configure your application and Whatfix to use the same SSO provider.
- **Pass relevant SSO attributes to Whatfix**. Share relevant user attributes from your SSO provider into Whatfix. This enables precise content targeting based on role, location, department, and more.

**Implementation Considerations**

- **Cookie expiry**: You can set a custom token expiry ranging from 10 minutes to 45 days. End users stay signed in without repeated login prompts for however long the custom token expiry is set to.
- **Data security**: Authentication tokens are managed in accordance with enterprise-grade security practices. Only email addresses will serve as primary end-user identifiers and are encrypted at rest using industry-standard encryption protocols.
- Whatfix also supports key SSO security features, including [SAML request signing](/studio/docs/enable-saml-request-signing-for-single-sign-on) and [SAML response encryption](/studio/docs/enable-saml-response-encryption), to ensure secured, standard-compliant authentication.

> [!WARNING]
> Note:
> 
> - The End-user authentication feature is available for all users. Your IT team must permit authentication tabs in the site settings for your application. ![End_User_Auth.png](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/image%28431%29.png)
> - You need to [configure SSO](/studio/docs/whatfix-single-sign-on) for the Whatfix Dashboard. For more information, see [Whatfix Single Sign-on](/studio/docs/whatfix-single-sign-on).
> - If you use a [Browser extension method of delivery](/studio/docs/integrate-whatfix-using-browser-extension), you must whitelist the Whatfix domains for the extension to access and display the content.
> - Lack of permissions for domains such as `whatfix.com` and region-specific domains such as `eu.whatfix.com` might result in authentication failures and frequent re-login attempts. Ensure that such domains or any other specific domains are added to the site access settings of the browser extension page. For more information, see [Change site settings for an extension](https://support.google.com/chrome/answer/114662).
> 
> 
> 
> **Best Practice:** The application where Whatfix is deployed should use the same SSO as Whatfix to provide a seamless login experience.

With End-user authentication, Whatfix enables you to:

- Protect your content by restricting access to authorized users only. Your organization’s content stays safe — visible only to end users who have SSO access.
- Identify end users accurately across applications and sessions, providing insights to identify adoption and engagement gaps, and drive improvements with minimal setup**.**
- [Segment content using SSO attributes](/studio/docs/display-content-using-sso-based-user-attributes) by department, region, role, or any other attribute — all without relying on Whatfix or your IT team. Your end users see exactly what they need.

#### Use the following steps to enable End-user authentication on Whatfix Dashboard

Ensure that you enable SSO using the dashboard. For more information, see how to [enable Single Sign-on using Whatfix Dashboard](/studio/docs/whatfix-single-sign-on).

**Step 1: Access the End User Authentication Setting**

1. On the Whatfix Guidance dashboard, click **Settings**.

![Click Settings on Dashboard](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/settings_ia.png)
2. Click **SSO and authentication**.

![Click SSO and authentication](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_Settings_ClickSSO.png)
3. Under **Authenticate dashboard and end users**, go to the **End user authentication**section and then click **Set up**.

![Set up end-user authentication on dashboard for users](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_SSO_end-userauthentication.png)

> [!WARNING]
> Note:
> 
> The **End user authentication** toggle gets enabled only once you complete the set up process by following the next steps.

---

**Step 2: Enable Authentication for Applications**

1. In the **Set up end user authentication** dialog box, select the Whatfix product where you want to enable end-user authentication:

- Guidance + product analytics: End-user authentication is enabled only for Guidance and Product analytics. This means only the end users who access content of Guidance and Product analytics are authenticated.
- Mirror: End-user authentication is enabled for Mirror. This means only the users who access content of Mirror are authenticated.

![Set up end-user auth from dashboard](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_end-user_auth_setup.png)

b. Under **Select the token expiry**, set the duration (the time before a user must re-authenticate).

![Set the duration of authentication](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_enduser_authenticatio_setduration.png)

c. Enable the **Detect via SSO** toggle to start tracking end-user analytics.

![Track analytics for SSO and end-user authentication](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_enduser_auth_trackanalytics.png)

> [!NOTE]
> Info:
> 
> - **Detect via SSO**is an optional step. But enabling it creates a user detection rule on Whatfix dashboard and all your product analytics data is derived using the data captured during end-user authentication.
> - Only one user identification rule can exist, which means enabling the **Detect via SSO** toggle overrides any other existing rule.

d. Click **Confirm**.

![Click confirm after enabling end user authentication](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_enduser_auth_ClickConfirm.png)

---

**Step 3: Push to Production**

Once you see the **End user authentication successful**message, Whatfix prompts you to publish so that the changes can go live on the application. Perform a dummy push to production for the end user authentication to become active.

![EUA success message for push to production](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_Success_message_P2P.png)

#### Capture end-user attributes

**What are end-user attributes?**

End-user Attributes are specific pieces of data about your users such as their role, department, location, or seniority. Whatfix receives the end-user attributes from your Identity Provider (IdP). Such attributes enable you to create a personalized experience for your users by showing content that they are meant to see. For example, a manager might see a workflow for approving leaves, while an employee only sees the workflow for requesting them.

Common examples of end-user attributes:

- Role: Account manager and contributor.
- Department: Sales, HR, engineering, and customer success.
- Geography: North America, EMEA, and APAC.

1. Under the **Additional user attributes** section, click **Set up**. ![Add additional user attributes for EUA](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_EUA_additional_userattributes.png)
2. Map the identity provider fields (for example, department, role, and email ID) to Whatfix attributes (for example, user ID and employee ID) for further segmentation.![Add user attributes for end user authentication](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_add_attributes.png)
3. Click **Save**. ![Save the added user attributes](https://cdn.document360.io/a268766e-d74d-4619-9613-e2472f809ffb/Images/Documentation/Dashboard_user_attributes_clickSave.png)

> [!NOTE]
> Info:
> 
> - If the end user logs in to the application using End-user authentication, they remain logged in until the configured session duration expires.
> - End-user authentication is available for both [JS Embed](/studio/docs/integrating-whatfix-using-javascript) and [Browser Extension](/studio/docs/manage-extensions-on-the-whatfix-dashboard) modes of deployment.

Whatfix Content includes Flows, Images, Videos, PDFs, Articles and Links.

Single Sign-on is a user authentication method that allows users to log in to multiple applications and websites with one set of credentials.

An Identity Provider (IdP) is an authority system that holds and verifies user authentication information.

The Whatfix Dashboard is where you can perform the following actions:

- Access all content that has been created by users in your organization.
- Access and manage content widgets like Self Help, Pop-ups, Smart tips, Beacons, and Task List
- Manage users
- Manage tags
- Access Analytics
- Manage translations
- Manage Tip or Flow configurations