Set up End-User Authentication

When an end user lands on the application, a network of calls occurs in the background. The following image illustrates the process that begins when the end user accesses the application from a browser:

The following steps outline the process shown in the preceding process image when an end user requests Whatfix content in an application integrated with End-User SSO:

Step 1: End user Requests Whatfix Content

The end user accesses your application and requests Whatfix content. Their browser sends a request to the Whatfix Content Delivery Network (CDN).

Step 2: CDN Initiates Authentication Request

The CDN detects that End-User SSO is enabled and triggers an authentication flow. It redirects the end user’s browser to the Whatfix API Service to initiate a SAML request.

Step 3: API Service Redirects to Identity Provider

The Whatfix API Service generates a SAML request and redirects the end user’s browser to your organization’s Identity Provider (IdP) for authentication.

Step 4: User Authenticates with Identity Provider

The end user signs in with their organization’s SSO credentials and the IdP verifies the end user’s identity.

Step 5: Identity Provider Returns Authentication Response

Upon successful authentication, your IdP sends a SAML response back to the user’s browser, which then redirects the response to the Whatfix API Service.

Step 6: API Service Validates Authentication

The Whatfix API Service validates the SAML request, confirming the end user’s identity and extracting relevant user attributes (such as email, department, role, and more) if defined in the Whatfix dashboard.

Step 7: Security Context is Set

The API Service sets a secure authentication cookie (valid up to 45 days) in the end user’s browser, establishing a security context for future content access.

Step 8: Content is Delivered

The end user’s browser re-contacts the CDN, presenting the secure cookie. The CDN verifies the authentication and securely delivers the requested Whatfix content.

Best Practices

• Whitelist SSO authentication tabs from the host application: Ensure your IT team whitelists authentication tabs for the application (for example, Salesforce or Workday) so that the SSO authentication window is not blocked by the browser.

• Use a consistent SSO configuration: Configure your application and Whatfix to use the same SSO provider.

• Pass relevant SSO attributes to Whatfix. Share relevant user attributes from your SSO provider into Whatfix. This enables precise content targeting based on role, location, department, and more.

Implementation Considerations

• Cookie expiry: You can set a custom token expiry ranging from 10 minutes to 45 days. End users stay signed in without repeated login prompts for however long the custom token expiry is set to.

• Data security: Authentication tokens are managed in accordance with enterprise-grade security practices. Only email addresses will serve as primary end-user identifiers and are encrypted at rest using industry-standard encryption protocols.

• Whatfix also supports key SSO security features, including SAML request signing and SAML response encryption, to ensure secured, standard-compliant authentication.

Note:

• The End-user authentication feature is available for all users. Your IT team must permit authentication tabs in the site settings for your application.

• You need to configure SSO for the Whatfix Dashboard. For more information, see Whatfix Single Sign-on.

• If you use a Browser extension method of delivery, you must whitelist the Whatfix domains for the extension to access and display the content.

• Lack of permissions for domains such as whatfix.com and region-specific domains such as eu.whatfix.com might result in authentication failures and frequent re-login attempts. Ensure that such domains or any other specific domains are added to the site access settings of the browser extension page. For more information, see Change site settings for an extension.

  Best Practice: The application where Whatfix is deployed should use the same SSO as Whatfix to provide a seamless login experience.

With End-user authentication, Whatfix enables you to:

• Protect your content by restricting access to authorized users only. Your organization’s content stays safe — visible only to end users who have SSO access.

• Identify end users accurately across applications and sessions, providing insights to identify adoption and engagement gaps, and drive improvements with minimal setup.

• Segment content using SSO attributes by department, region, role, or any other attribute — all without relying on Whatfix or your IT team. Your end users see exactly what they need.

Ensure that you enable SSO using the dashboard. For more information, see how to enable Single Sign-on using Whatfix Dashboard.  

Step 1: Access the End User Authentication Setting

1. On the Whatfix Guidance dashboard, click Settings.

   

2. Click SSO and authentication.

   

3. Under Authenticate dashboard and end users, go to the End user authentication section and then click Set up.

   

   Note:

   The End user authentication toggle gets enabled only once you complete the set up process by following the next steps.

Step 2: Enable Authentication for Applications

1. In the Set up end user authentication dialog box, select the Whatfix product where you want to enable end-user authentication:

• Guidance + product analytics: End-user authentication is enabled only for Guidance and Product analytics. This means only the end users who access content of Guidance and Product analytics are authenticated.

• Mirror: End-user authentication is enabled for Mirror. This means only the users who access content of Mirror are authenticated.

  

  b. Under Select the token expiry, set the duration (the time before a user must re-authenticate).

  

  c. Enable the Detect via SSO toggle to start tracking end-user analytics.

  

  Info:

  • Detect via SSO is an optional step. But enabling it creates a user detection rule on Whatfix dashboard and all your product analytics data is derived using the data captured during end-user authentication.

  • Only one user identification rule can exist, which means enabling the Detect via SSO toggle overrides any other existing rule.

  d. Click Confirm.

  

Step 3: Push to Production

Once you see the End user authentication successful message, Whatfix prompts you to publish so that the changes can go live on the application. Perform a dummy push to production for the end user authentication to become active.

What are end-user attributes?

End-user Attributes are specific pieces of data about your users such as their role, department, location, or seniority. Whatfix receives the end-user attributes from your Identity Provider (IdP). Such attributes enable you to create a personalized experience for your users by showing content that they are meant to see. For example, a manager might see a workflow for approving leaves, while an employee only sees the workflow for requesting them.

Common examples of end-user attributes:

• Role: Account manager and contributor.

• Department: Sales, HR, engineering, and customer success.

• Geography: North America, EMEA, and APAC.

1. Under the Additional user attributes section, click Set up.

2. Map the identity provider fields (for example, department, role, and email ID) to Whatfix attributes (for example, user ID and employee ID) for further segmentation.

3. Click Save.