Skip to main content

Mail Auth (Email Link Authentication)

Mail Auth is a passwordless authentication method that allows users to verify their identity using secure links sent to their email addresses. It operates in two modes: User Approval and Manager Approval.

What Is Mail Auth?

Mail Auth profiles allow users to authenticate securely without a password by clicking a one-time link sent to their email. This method is both user-friendly and secure.

SP Manuel Giriş Formu

Mail Auth Authentication Method

Profile Types

1. User Approval

Allows the user to log in directly by clicking the verification link sent to their own email.

Purpose:

  • Passwordless login experience
  • Fast and easy authentication
  • Eliminates issues with forgotten passwords

Recipient: The user
Required Action: User clicks the verification link
User Access: Granted immediately upon clicking the link

2. Manager Approval

Requires the user’s manager to approve the login request via an emailed link.

Purpose:

  • Additional security layer for sensitive access
  • Manager-level oversight
  • Compliance with corporate policies

Recipient: User’s manager
Required Action: Manager clicks the approval link
User Access: Granted after manager approval

Profiles

Email approval profiles define how the email authentication process will operate.

Profile Configuration Fields

  • Profile Name: Identifier for the profile
  • Type: User Approval or Manager Approval
  • Server: SecTrail MFA server URL used in verification links
  • Message: The email body sent to the recipient
  • Link Expiration Time: Validity duration of the link (in minutes)
  • Mail Servers: SMTP servers to send emails
  • Email Subject: Subject line of the email
  • Failed Login Notification: Option to notify manager of failed attempts
  • Fallback Auth Profiles: LDAP/Local profiles used to retrieve user identity
Email Prerequisites

For LDAP Users:

  • mail attribute must be configured
  • Example: The mail field must contain the user’s email address

For Local Users:

  • Email address must be defined in the user record

For Manager Approval:

  • LDAP must contain the manager attribute
  • For local users, sponsor email must be defined

Incorrect email configuration will prevent users from receiving verification links.
:::

Type Comparison

FeatureUser ApprovalManager Approval
PurposePasswordless loginAccess requiring manager validation
Link RecipientUserManager
Required ActionUser clicks the linkManager approves the request
User AccessImmediate upon clickAfter manager approval
Link ValidityYes (time-based)Yes (time-based)
Use CaseDaily loginSensitive system access

Authentication Flows

User Approval Flow

  1. User initiates login
  2. System sends verification link to user
  3. User checks email and clicks the link
  4. User is granted access

Manager Approval Flow

  1. User initiates login
  2. System sends approval link to user’s manager
  3. User sees “Waiting for manager approval”
  4. Manager checks email
  5. Manager approves or denies the request
  6. If approved, user is granted access
Note

Approval time may vary depending on the manager’s email response.

Policies

Email approval policies determine which users authenticate with which profile.

Policy Configuration Fields

  • Email Auth Profile: Email approval profile to use
  • Authentication Profile: LDAP/Local profile used to fetch user attributes
    • Must be included in the approval profile’s fallback profiles
  • Attribute: User attribute to match (e.g., memberOf, department, mail, username, group_name)
  • Attribute Values: Allowed values
    • Can be selected from dropdown
    • Wildcards (*) and regex supported

Policy Behavior

Important
  • No Policy: All users use the default profile
  • With Policy: Only matching users are authenticated using that profile
  • Order: Policies are evaluated top to bottom; first match applies
Example

You can authenticate IT department users with User Approval and executives with Manager Approval.

Common Use Cases

Scenario 1: Passwordless Login

Type: User Approval

Used when simplifying user experience and reducing password-related issues.

Scenario 2: Controlled Access

Type: Manager Approval

Used for sensitive resources and privileged accounts.

Scenario 3: Hybrid Workflow

Type: Mixed

Different groups use different approval methods based on risk level.

Quick Setup Steps

  1. Configure SMTP mail servers
  2. Prepare LDAP/Local fallback profiles
  3. Create Email Approval Profile (select user/manager type)
  4. Set link expiration time (e.g., 15 minutes)
  5. Verify email attributes on LDAP/Local users
  6. Create policies (optional)
  7. Add profile to the application profile
Important

Very short expiration times may prevent users from completing authentication in time.
Recommended: 15–30 minutes.

Advantages

  • Passwordless authentication
  • Secure one-time, time-limited links
  • Flexible approval options
  • User-friendly
  • Audit logging for all events

Technical Details

  • Link Format: Cryptographically secure, one-time token
  • Security: HTTPS encrypted transactions
  • Validity: Time-based expiration
  • Usage: Tokens are single-use
  • Mail Protocol: SMTP with TLS/SSL

Considerations

  • Do not set link validity too short or too long
  • Ensure SMTP configuration is correct
  • Verify user email attributes regularly
  • Ensure manager attributes are valid for Manager Approval
  • Ask users to check spam/junk folders
  • Monitor mail server performance