When logging into aXcelerate, users will be required to create and use a global account. This will act as their identity when training at one or more training organisations. This guide will cover the creation and management of global user accounts.
To view a list of Frequently Asked Questions, please see this help article.
Manage your Global Account Details
All users that have set up a Global Account will have a ‘My Account’ option under their profile icon which will allow them to see all aXcelerate user profiles that they have connected to their Global Account. This area allows you to manage your Global Account details and view each aXcelerate user account that has been linked.
- Click on your Profile Icon
- Click My Account
- Update your details as required
- Click Save
Tip: Once connected, from the single login, a user will be able to access all portals available to each account (administrator, learner, client, agent) from the profile menu.
Note: If a user creates their account with the email address or mobile phone number and password option, they will also have the option to configure their Global Account to require Multi-Factor Authentication (MFA). When logging in using other services (Google, Facebook or Apple), MFA will be determined by the settings of your account for that service.
Linking Multiple Users to a Global Account
As an aXcelerate user, you may have multiple user accounts for different training organisations. An example of this is being a Trainer in one account and a Learner in another. All of these accounts can be linked to your one Global Account by selecting the same Authentication Method when logging on. Once this has been done, you will be able to log in once and then change between different accounts from the profile menu.
Tip: If you are a Trainer and Learner in the same Training Organisation, you will only need to link the one account and then be able to switch between roles from the profile menu.
Issue a User Invitation
New users created in aXcelerate will no longer receive an email containing a generated username and password, but instead, they will receive an email invitation to create a Global Account by using an email address or mobile phone number (and password), or their Google, Facebook or Apple accounts. New user accounts will still be generated from the System Users area via the same automated methods as used by the previous user creation process. You can access a User Record by clicking the Update icon next to a user in the System Users table or by selecting Update User Record in the Contact Actions menu.
Settings
- Click the Update Icon next to a user in the System Users table
- Click Send New Login Invite
- Select the email address to issue the invitation to
- Click Send
Tip: The email that the invite is issued to is not necessarily the authentication method that the user will use for their account. This email is where the invite will be sent to, but the user will still be able to select from all of the available authentication methods. The email will default to the one specified against the contact profile.
Note: As part of these changes, aXcelerate will create a new template in your account that will be used for the new user invitation emails. The main difference is that you will no longer need the [aXcelerate Username] or [Generated Password] templated fields, as these will be replaced by a single [User Login Access Link] template field. All login creation links generated will expire after 90 days, which will be specified in the template. To modify the design of the template, please look for the ‘New Login Experience Invitation’ template within the templates section of aXcelerate.
Unlink an Authentication Method
Once a user has linked an authentication method to their user account, it can be unlinked from their user profile.
Settings
- View an existing User Profile that has been Migrated
- Click on the Unlink Icon next to the user's authentication method
- Click OK
Warning: If you unlink a User's authentication method, you will need to ensure that a new Invitation is sent to that user. Once an account has been linked to a new authentication method and flagged as 'Migrated', they will not be able to log in with their old username and password.
Set up Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is available to those using an email and password, or phone number and password as their authentication method.
- Click on your Profile Icon
- Click My Account
- Set Multi-factor Authentication to Authenticator
- Download an Authenticator App on your phone
- Scan the QR Code displayed
- Enter the Verification Code displayed in your App
- Click Submit
- Click Save
Tip: Once you have MFA enabled, each time you log in you will be required to enter the verification code displayed in your Authenticator App.
Note: When logging in using other services (Google, Facebook or Apple), MFA will be determined by the settings of your account for that service.
Warning: Ensure your phone has the correct time zone set in the settings. Failing to do so may result in an error message while entering the verification code. This will prevent MFA from being set up.
Update the aXcelerate WordPress Plugin
Customers using the aXcelerate WordPress Plugin on their website to facilitate online enrolments will need to ensure that the plugin is on the latest version when the new login experience is launched so that the enrolment form continues to work correctly.
- Log in to your WordPress Website as an administrator
- Go to the Plugins tab of the WordPress dashboard
- Find the ‘aXcelerate Integration Plugin’, then click ‘Update Now’ and ‘Enable auto-updates’
Note: We strongly recommend that Automatic Updates are enabled for the aXcelerate WordPress plugin so that any new changes made to our plugin are applied automatically and your website can continue to work cohesively with the rest of the system.
Warning: If the plugin is not on the latest version, the login experience for returning students will not work as intended. In the future, the enrolment form will stop working completely if version 3.4.0 or greater is not being used.
User API Endpoint Changes
If your business has built a custom integration with aXcelerate and are utilising our /user/* related endpoints, these changes will impact your integration.
All [User Login Access Link] will be generated from aXcelerate. During the Global Account creation process, all users will access an aXcelerate page. So that users are redirected to your own portal/system on success, you can specify a Student Portal Application (‘return_to’ URL) from within aXcelerate under the Approved Applications Register from System Settings > Web & Other Integrations.
Our /user/* API endpoints will be backward compatible and still allow username and password access for current users, however, all new users will need the new access code methods to authenticate. For consistency purposes, we highly recommend that you modify your integration to redirect all current users to the aXcelerate authentication page to create their own ‘Global Account’ as in the future we may deprecate support for non-migrated accounts.
Below is a summary of changes to API endpoints.
/user/
This endpoint will no longer handle the ‘password’ parameter supplied on a POST request. The API will trigger a user registration invitation email to the email address attached to the contact for the newly created user.
/user/:userID
This endpoint will no longer allow the updating of ‘username’, ‘password’ and ‘passwordchangenextlogin’ values with PUT requests. GET requests to this endpoint will return an additional parameter of ‘migrated’ which will allow you to identify if a user has created their ‘Global Account’.
/user/forgotPassword
This endpoint will no longer work for a migrated user. A migrated user can reset their own password as these users should now be redirected to an aXcelerate page that can handle a ‘forgot password' flow.
/user/forgotUsername
If a user has been migrated and a request is made to this endpoint, the response will still be a success:true/false after an email is dispatched to the user. If the user was linked via Google/Facebook/Apple, the email will specify the email address associated with that social provider and the name of the provider.
/user/changePassword
Deprecated; this endpoint will no longer be supported. Since all login details are now global, we cannot allow any API call to affect the login details for any user. The only way to change a password without being already logged in, is for a user to go to our reset the password page https://app.axcelerate.com/management/secure/reset.cfm
/user/login
This endpoint will no longer accept username and password parameters to log a user in. A login request must now contain an ‘accessCode’ and ‘userID’. In order to generate an accessCode, the user must first be sent to one of the following URLs, depending on the environment.
Live: https://app.axcelerate.com/auth/user/login.cfm
Staging: https://stg.axcelerate.com/auth/user/login.cfm
Where possible, you should also use your subdomain in these URLs as in the near future aXcelerate may offer the ability for you to brand these login pages.
Live: https://{subdomain}.app.axcelerate.com/auth/user/login.cfm
Staging: https://{subdomain}.stg.axcelerate.com/auth/user/login.cfm
A ‘return_to’ URL parameter should be used to specify where you want the user to return to once they have successfully logged in:
https://{subdomain}.app.axcelerate.com/auth/user/login.cfm?return_to=https://yoursite.com/login
For security reasons, you will be required to register your ‘return_to’ URL with aXcelerate in the Approved Applications Register in aXcelerate under System Settings > Web & Other Integrations. When the user logs in and returns from the login page, they will return with an ‘access_code’ URL Parameter:
https://yoursite.com/login?access_code=E2E8C0F5-BA18-4A80-B2C31862BB850232
The ‘access_code’ should then be used with this endpoint to generate the ‘axtoken’ that is used for all subsequent API requests.
/user/logout
This endpoint will operate as normal and require the ‘axtoken’ parameter to log out a user.
Global User Authentication FAQs
When are the changes happening?
These changes will be available in our Staging environment on Thursday July 1, 2021 and are intended to be activated seven weeks later in our live environment on Thursday August 26, 2021.
What happens if a user signs up with a different email address than what is listed on their contact profile?
The email address for the contact will not change. The email address for the Global Account can be a completely different email to what is stored on the contact profile. The user will login with their Global Account email, however, any email communications sent via aXcelerate will be sent to the email recorded on the contact profile.
What happens if a student “does not get the invitation”? Can it be re-sent on their behalf?
Yes. An aXcelerate administrator can resend an invitation from the user record page in aXcelerate.
Is there an expiry on user invitation links and can they be used multiple times?
All user invitations are unique links that can only be used once to create a Global Account. These invitations will expire after 90 days. Once expired, a new invitation will need to be sent to that user.
What if a student does not have an email address or phone number to create their Global Account with?
Going forward, the only authentication options aXcelerate will support are email address, mobile phone number, Google, Facebook or Apple.
What happens if a student forgets their password or how they connected their aXcelerate account? Can student support or administrators assist students with logging in?
Yes. The contact record associated with the user will have a new identifier explaining what authentication method the user was created with (email address, mobile number, Google, Facebook or Apple). A system administrator will also be able to ‘unlink’ the user’s aXcelerate account from their Global Account and send a new invitation.
What about password resets?
Administrators will no longer be able to set or reset passwords for users. Administrators will only have the option to ‘unlink’ an account and send a new invitation to the user to create their Global Account.
Are there any changes to user permissions?
No. Our user permissions functionality will remain exactly the same.
Can I still deactivate and delete user accounts?
Yes. User deactivations and deletions will still work the same as they currently do
Which aXcelerate portals will be impacted by this change?
All aXcelerate portals (Admin, Learner, Agent, Client) will use the new login experience.
How does the WordPress functionality of ‘Validate on Create’ work with this new system?
This process is unchanged and will work exactly the same as it currently does.
Can I activate Multi-Factor Authentication (MFA) on my account?
MFA can only be activated if you have created your Global Account with an email address or mobile phone number. If you selected Google, Facebook or Apple, those providers will have an MFA solution for you.
What information is aXcelerate taking from Facebook, Google and Apple accounts?
Privacy and information security is paramount with everything we do at aXcelerate. If a user selects to connect their account with Google, Facebook or Apple, we only use very basic details (name and email) for connection only purposes.
How secure are these changes? Has the New Login Experience been penetration tested?
All aXcelerate changes are tested by our quality assurance testing through a combination of automated and manual testing. aXcelerate also undertakes annual penetration testing through the services of an independent third party. Our 2021 penetration test encompassed the changes relating to the new login experience in our testing environment.
What are the implications for clients who are currently using external identity providers and SSO with aXcelerate?
Clients using External SSO providers will have to make minor changes to their configuration. In order to have all users within the same environment, and allow additional login options for students and other users, a new URL and ID must be added to the IDP configuration. aXcelerate will handle the migration of the metadata / other configuration on our side.
When signing in again, it will work like the first time someone was provisioned, and connect the new Global Account to the current user. This is because the IDP is providing the same information against the new SSO mechanism.
How can I modify the design of the User Invite / Login Creation Link template?
You can change the design of the User Invite template by modifying the ‘New Login Experience Invitation’ template. If you would like to create your own template, ensure you use the [User Login Access Link] template field and update the appropriate Default System Template.