Configuring SSO with Microsoft Entra ID, Google Workspace, or Okta does not automatically migrate existing accounts from your organization to use this connection.
Migrating existing users to a new means of logging in requires careful planning and communication. Many users are (rightly) suspicious of sudden changes to log in procedures, and may disregard email notifications from ActivityInfo as phishing emails.
Allow-listing emails from ActivityInfo.org
As part of the migration process, the ActivityInfo system will automaticaly notify users about the change by email. These emails can be mistaken by users, or by spam filters, as phishing emails.
In the worst case, a phishing report by a user can trigger an organization-wide block of email coming from activityinfo.org, preventing database invitations or other critical messages from reaching users. We purposely do not include any links in these notification emails, but it remains a risk.
For this reason, we recommend adding activityinfo.org and specifically notifications@activityinfo.org to your organization’s email allow list. All legitimate email sent by activityinfo.org are authenticated with DKIM and SPF. Any emails from activityinfo.org failing either DKIM or SPF should be rejected.
Communicate ahead of time
We recommend communicating the change to users well at least one week in advance of the change. When dealing with 100 or more users from more than one team, consider 2-3 week advance notice with reminder emails. The following is an example:
Dear [Name],
Starting on January 1st, the way you log into ActivityInfo will change.
We are connecting ActivityInfo to our [Google Workspace / Microsoft 365 / Microsoft Entra] directory. With this change, you will no longer have to use an ActivityInfo password, instead, you will be redirected to our own login page where you will need to login with your work account.
If you are already logged into your work account, you may not be prompted for a password at all.
This will make connecting to ActivityInfo both easier and more secure.
If you are using your password to connect to ActivityInfo’s API, for example with Power BI, you will need to generate a personal API token instead. You can find instructions here:
https://www.activityinfo.org/support/docs/user-account/personal-api-tokens.html
Please reply to this email if you have any questions.
Sincerely,
[Your name]
IT Department
Migrating existing users
Email domain management is only accessible to organizations with a centralized contract with ActivityInfo. If your organization does not have a direct contract with ActivityInfo, please contact support@activityinfo.org to ask that the ActivityInfo team completes this step on your behalf.
From your profile menu, select “Billing account.”
If you do not the “Billing account” menu item, then you do not have permission to manage your organization’s billing account. Contact the account owner within your organization.
From the billing account page, click “Email domains” from the left hand pane. If there are no email domains listed, then the domain policy has not yet been configured and you still need to contact support@activityinfo.org as all domain policies must be approved by the ActivityInfo team.
Select the domain from the list by clicking on in. Your organization may have several domains, perhaps domains for different countries or branches of your organization. You will need to repeat these steps for each domain.
On the right hand side panel, you will see the a few key details about this email domain:
- Identity provider: Which system provides identity authentication for users with this email domain. Either Active Directory (now called Microsoft Entra ID), Google Workspace, or Okta, or “Password based” if there is no identity provider associated with this email domain.
- Total user account: The total number of user accounts on ActivityInfo.org with this email domain. This includes user accounts which may no longer have access to any databases.
- IdP Policy Violation Count: the number of user accounts with this email domain that are not linked to the IDP provider.
If there are any user accounts in violation of the Identity Provider (IdP) Policy, then there will be button visible labeled “Migrate existing users to SSO”.
Click “Migrate existing users to SSO.” This will kick off a background job to migrate users who are still on password-based login to the selected Identity Provider.
Notification
Users who have logged in within the last 60 days will receive a notification, in their preferred language, from the system during the migration process: