Sitrion Authentication

When using the Sitrion authentication mode, users will be authenticated based on their corporate email address and a password that they need to set. With these credentials, they are able to login on their device and access the apps that are available for the role that they belong to. A user can only belong to one role at any given time. The role defines the applications that the user can access, the names of these applications and the backend systems that will be used by these applications. This way, it is possible to set up a tester role that contains applications that are in testing,for example, an application that targets an SAP test system instead of a production instance. Once the tester group finishes their tests, the same app can be added to a different role and set to target the production system.


Authorization Process

Once the user starts the application on his device for the first time, he will be prompted to provide his company email address. Based on the email’s domain (e.g., a decision will be made to find the appropriate authentication provider. In this case, the secure Sitrion logon site will be shown on the device and it prompts the user for his login credentials (email, password). After the user enters the credentials, the Sitrion logon server creates a security token using the Simple Web Token format. The login page also creates a cookie on the device that contains this token. This token will be passed to the Sitrion tenant of the Azure Access Control service where it will be transformed to a token that can be consumed by the Sitrion ONE services. This token contains information about the user like the name, a user identifier and the role that the user is a member of. This token has a lifetime that can be different from the lifetime of the cookie that has been created earlier.

For example: A user logs on and the Sitrion Logon server writes a cookie that has a lifetime of 20 minutes. The issued token of the Sitrion Azure Access Control Service then provides a new token that has a lifetime of 10 minutes. After 10 minutes of usage, the user’s token will expire. This will redirect the user back to the logon page of the application where the cookie is still valid. This cookie wi ll then be used to issue a new token without prompting the user for his credentials again. After the cookie has expired, a complete logon where the user has to re-enter his credentials will occur

Adding Users to a Company

Using Sitrion Authentication, there are different ways to add users to the platform. A company administrator can add users manually using the management portal or he can do a batch import from a CSV – file. Another way to add users is to allow users to sign up themselves using a mobile device. The following will describe these methods in more detail.

Add Users manually
  1. Go to
  2. Login as an administrator.
  3. Click on “Users” in the top navigation bar.
  4. Click on “Create User”.
  5. Fill out the pop-up form and choose a role for the user.
  6. A confirmation email containing a link to enable the account will be sent to the provided
    E-Mail address.
  7. When the user confirms his email address using the link, he will be marked as authenticated in the system and receive an initial password via email.
  8. The user can now logon with the provided password from his device.
Batch import of Users
  1. Go to
  2. Login as an administrator.
  3. Click on “Users” in the top navigation bar.
  4. Click on “Import Users”.
  5. Choose a file on your local machine that confirms to the CSV file format that is shown on the popup.
  6. Click on import to start the import process. (This may take a while, depending on the size of the file.)
  7. Each user in the file will need to follow steps 6 – 8 as described above under “Add users manually” to complete the process.
Sign up Through the Device App

Users will be able to register an account with Sitrion ONE from inside the Sitrion ONE application on their device. They will be provisioned to the company’s tenant based on their email address (e.g. Users that sign up this way are created in the system but will not be able to access the system until they have been approved by a company administrator. All users that sign up this way will automatically be assigned to the default role for their company. The default role can also be set on the user’s tab of the management portal.

You can choose to automatically provision all users that possess a valid email address of your domain.

IMPORTANT: These users will not be able to access any application or receive any workflow that connect to backend systems like SAP without entering their SAP credentials first.


Account Types

Sitrion ONE distinguishes between two different account types: normal users and administrators. Normal users can log on using their device and access their respective applications. They cannot log on to the management portal. Administrator users have the same rights as normal users but they can further log on to the management portal and configure all settings for their company. They are also able to deploy applications via AppBuilder into their company’s cloud tenant.

Share this page
Tell your colleagues and friends about Sitrion. Choose a social channel below to share this page.