Authentication Modes

  • Updated on May 5, 2026
  • Published on Mar 10, 2026
  • 3 minute(s) read
Prev Next

Overview

Authentication modes define the way your Sanas App users validate their access before they start using their Sanas App.

This guide explains the various available application authentication modes and helps you understand the best option for your organization.

Key concepts

Application Authentication Mode

App Authentication modes are the methods available for the Sanas App users to validate their access. App users can find one or more modes available on their Sanas App login page based on the configuration done by their admin.

Configuration type

Configure the authentication mode independently at a Group level. Or, configure common authentication mode across all groups by configuring it at the Account level. If required, use the Lock Configuration feature to enforce the common authentication mode for all groups.

Authentication Modes

Mode

Best For

User Action

Prerequisites

Unique Activation Key (UAK)

Secure, credential-based access

Enter the Account ID and User ID.

The user must be added to the Portal to grant them access.

Auto-Activation

Zero-friction deployment

None—app activates automatically upon launch.

  • The user’s computer must be connected to the organization’s domain.

  • Installer ID must be updated during the Sanas app installation.

Email-Passcode

Users having access to the organization’s domain email addresses (work emails)

Enter the one-time email code received on their work email.

The user must be added to the Portal with their work email.

Single Sign-On (SSO)

Organizations with an existing IdP

Authenticates via integrated IdP.

  • IdP must be integrated with Sanas.  

  • Users must exist on the IdP.

Recommendation: UAK suits most organizations—it provides secure access without requiring an IdP, domain-joined machines, or email infrastructure.

Unique Activation Key (UAK)

UAK uses two identifiers: a User ID (assigned when adding a user in the Portal) and an Account ID (auto-generated, displayed at the top of the group tree). The app validates both before granting access.

Requirements:

  • The users must be added to the Portal in their appropriate groups.

  • The Admin must share the User ID and Account ID with the intended users to enable them.

Auto-activation

Auto-Activation is a credential-less authentication mode that eliminates manual sign-in for app users and saves admin time during onboarding. Users don't need to be added to the Portal in advance; users get automatically added to the Default Group upon their first app activation. Admins can move them to appropriate groups later if needed.

Requirements:

  • The user's computer must be joined to the organization's domain before launching the app.

  • The Installer ID must be set for all users during the Sanas app installation. See the Update Installer ID guide for detailed instructions.

Ideal for: Contact centers with shared workstations or organizations that want zero-friction activation without pre-provisioning users.

Email-Passcode

A one-time verification code is sent to the user's registered work email. The user enters the code in the app to authenticate.

Requirement:

Note: Only work email addresses are supported. Personal emails (gmail, yahoo, etc.) cannot be used.

Single Sign-On (SSO)

Users authenticate via your organization's identity provider (IdP) from the Sanas app sign-in page. Supports SAML 2.0.

If you require MFA, enforce it at the IdP level.

Requirements:

  • The admin must integrate the IdP provider on the Sanas Portal (SAML certificate configuration).

  • The user must be added to the Portal and should also exist on IdP to complete the authentication.

Switching between authentication modes

Switching authentication modes requires migration due to fundamental differences in how each mode works:

Recommended approach:

  1. Create a new group with the desired authentication mode.

  2. Add existing users to the new group (use Bulk Add for efficiency).

    Important: Moving users to the new groups is incorrect to ensure all the necessary authentication details are correctly mapped.

  3. Deactivate users and the old group to complete the migration.

Configuration

To configure the authentication mode:

Required permissions: Group Settings (Full Access) for group-level, or Account Settings (Full Access) for account-level configuration.

  1. In the Portal, select Account (for account-wide) or a specific group.

  2. Go to Settings > Configuration.

  3. Under Platform Authentication, click Application Authentication.

  4. Choose your desired authentication mode.
    Settings page showing application authentication options for user login methods.

  5. Optionally, enable Lock Configuration to prevent subgroup overrides.

  6. Click Save.

The new mode takes effect when users next launch the app. Active sessions are not interrupted.

FAQ

Can different groups use different modes?

Yes, unless the parent group or account-level configuration is locked.

What if a user is removed from the IdP but still exists in the Portal?

The user won’t be able to authenticate via SSO anymore. Remove them from both systems to fully offboard.

Support

Need help? Get in touch with our Support Team for assistance.