Access Management

Currently, the OIDC Identity Provider integration for Entra ID / Azure AD in HelloID only supports authentication based on client secrets. HelloID already supports certificate-based authentication across the Provisioning connectors and Service Automation forms and products. This aligns with Microsoft’s current security recommendations and best practices, where certificate-based authentication is the preferred replacement for client secrets. More and more organizations are now requiring certificate-based authentication as part of their security standards, making secret-based authentication increasingly undesirable. Suggested Improvement - Add support for certificate-based authentication within the OIDC Identity Provider integration for Entra ID / Azure AD, as an alternative to client secret authentication. Benefit - Alignment with Microsoft security best practices. - Support for organizations with stricter security requirements. - Reduced dependency on client secrets. - Improved security and credential management.

Please improve the API for retrieving group memberships/apps/products/categories Instead of single endpoint ( https://docs.helloid.com/hc/en-us/articles/115002981813-GET-Get-specific-group ) that retrieves the group with array properties with this information, it should be split into separate endpoints. GET Group Memberships (User/Groups) GET Group Self Service Products GET Group Self Service Categories GET Group Applications Additionally it should use skip/take pagination

We would like employees to be able to change their passwords, even including a notification that the password needs to be changed soon. Because HelloID cannot do this, we are running quite short on time with the helpdesk, who believed that this package would save us time. We would therefore be very pleased if this could be resolved.

The pages relating to MFA enrollment can be confusing for end users when allowed to choose their preferred mechanism. For example, after enrolling via authenticator app and scanning the presented QR code the original screen is displayed without any feedback about their enrollment being complete leading to users continuously clicking to enroll an authenticator app over and over again. These changes would make it easier for users to understand the expectation: 1.) If I enroll into MFA with an OTP app, I shouldn't be prompted to enroll again with the same mechanism. 2.) The MFA enrollment wizard should be more clear about the user's enrollment for MFA being complete and offer options to either "Add another MFA type" or "Finish" instead of just an ambiguous "Skip" button.

Request: Add the ability to customize the instruction text displayed on the Access Management first-time login screen (the screen shown when a user selects an application they haven’t logged into before). Requirements: Allow administrators to replace or extend the default instruction text (“Enter your details and press...”) with custom text. Support clickable hyperlinks within the custom text (e.g., anchor tags or markdown) to direct users to relevant self-service or request pages. Optionally support basic formatting (line breaks, bold/italic) to improve readability. Use case: Organizations want to guide users who do not yet have access by providing a direct link to request access, for example: + “Don’t have access to this application yet? Click HERE to request access.” This reduces support tickets and improves user experience by offering self-service at the point of need.

I would like the Applications tab to become optional just like the Selfservice tab will be in the next release, since a lot of customers only use the selfservice tab. I know that this will take great effort, but still would really like to see this in the future!

We would like to use a two steps login/registration where users would first enter only their username and validate, with a "remember me" checkbox and a link to account creation form. If the user is known, he's asked for his password before (with a password forgotten link) being redirected to the final service. If he's not, a message is shown explaining that the user doesn't have an account + a link to the registration form. The registration form could be handled by HelloId or be a simple link to a form from another tool

By default, if you forget your HelloID local account password, helloid sends an sms if your phone number is entered, otherwise it sends an email. In some cases the email doesn't arrive (spam) and in other cases the phone number entered isn't a mobile but a landline, so the sms doesn't arrive. Is it possible to offer the user the choice between SMS or Email when both these details are entered in the user's local account?

Would like the ability for the HelloID portal to show the 'Change Password Requirements' similar to how the SSRPM portal shows it.

Currently Notifications are limited to 256 characters. Recommend updating the max message length