Overview
Delegated authentication ensures a secure and user-friendly process for third-party applications to access a user's server resources without the need for the user to disclose their login credentials. This method prioritizes security, enhances the overall user experience, and provides effective authorization control, particularly in the context of third-party email integrations. Aligned with industry best practices and compliance standards, it offers a scalable and easily maintainable solution for developers and users alike.
Sections of this Article
- How does it work?
- Admins
- Outlook
- Granting admin consent for Bigtincan Cloud Connect for Outlook
- Gmail
- Granting admin consent for Bigtincan Cloud Connect for Gmail
- Users
How does it work?
When a user integrates their email account using Delegated Authentication all outgoing emails initiated from their Content Hub account will be routed through your company's email provider and be sent from the user's email address. These outgoing messages will appear in the user's sent mailbox and the recipients will see the user’s email address as the ‘From’ address.
Bigtincan Content Hub supports Delegated Authentication for Gmail and Microsoft Outlook email providers.
Admins
Delegated Authentication for Email introduces a new configuration bundle setting titled ‘Delegated Email’ under the “Integrations” section with support for Gmail and Microsoft Outlook email providers. When the ‘Delegated Email’ setting is enabled the admin will need to select one or both of the providers for users to have access.
- Enable the ‘Delegated Email’ configuration bundle setting
- Select at least one provider
Outlook
Bigtincan Cloud Connect for Outlook requests the following permissions that your organization must consent to before using the integration.
- Send mail as a user: Allows the app to send mail as users in the organization. This is a permission requested to access your data in Bigtincan.
- Maintain access to data you have given it access to: Allows the app to see and update the data you gave it access to, even when users are not currently using the app. This does not give the app any additional permissions. This is a permission requested to access your data in Bigtincan.
- Sign in and read user profile: Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users. This is a permission requested to access your data in Bigtincan.
Before launching Delegated Authentication for your users it is important to check how your Enterprise Application “Consent and permissions” settings are configured. Microsoft Entra offers three different tiers of consent permissions.
- Do not allow user consent: This is the most restrictive permission set available in Entra. If your organization has the setting enabled your Entra Administrator will be required to accept permissions for the Bigtincan Cloud Connect for Outlook application before your users can authenticate their accounts.
- Allow user consent for apps from verified publishers, for selected permissions: This permission set allows your Entra administrators to determine which API permissions are classified as ‘low impact’. If the permissions requested above are classified as low impact and Admin will not need to accept the permissions before users can authenticate their accounts
- Allow user consent for apps: This permission set allows users within your organization to consent to the permissions requested by the integration and no Admin actions are required.
Granting admin consent for Bigtincan Cloud Connect for Outlook
There are several methods for granting admin consent through the Entra admin console and through the Bigtincan Web App if your admin has a Bigtincan account. However, the integration must be initiated by a user within the Bigtincan platform before your Entra administrator will be able to grant consent.
If consent requests are not enabled, a Bigtincan user with administrative permissions in Entra must initiate the permission consent process from the Bigtincan email settings page. Once a user with admin permissions in Entra consents to the Bigtincan integration permissions through the Bigtincan-initiated workflow, any user will be able to complete the delegated authentication process from the Bigtincan email settings page.
Granting admin consent through the Bigtincan application:
- Login to your Bigtincan account - ensure Delegated email for Outlook is enabled in your users configuration bundle
- From the User Profile menu (top right corner) select ‘Settings’
- Select ‘Email’ from the menu options
- Click ‘Connect’ next to the Outlook option
- If you do not see Email or Outlook go back to #1 and enable those features in your configuration bundle
- A new window will open asking you to log in to your Microsoft admin account, complete the login process
- Accept the permissions requested
- You’ve now successfully granted admin consent and Users will be able to authenticate using their Outlook credentials
If consent requests are enabled, any Bigtincan user with an Outlook account can request access to the Bigtincan Outlook integration. Administrators in Entra can then view permission requests and accept permissions on behalf of the organization. Users can subsequently complete the delegated authentication workflow from the Bigtincan email settings page.
Granting admin consent through the Entra admin console:
- Access ‘Enterprise applications’ in the left-hand menu
- Find “Bigtincan Cloud Connect for Outlook” in the applications list, open the application overview page by clicking on the title
- Select ‘Permissions’ in the Security section
- Click “Grant admin consent for Bigtincan”
- A new window will open asking you to log in to your Microsoft admin account, complete the login process
- Accept the permissions requested
- You’ve now successfully granted admin consent and Users will be able to authenticate using their Outlook credentials
If users are permitted to consent on behalf of the organization, any user in Bigtincan with an Outlook account can complete the delegated authentication workflow from the Bigtincan email settings page.
Granting admin consent through the Bigtincan application:
- Login to your Bigtincan account - ensure Delegated email for Outlook is enabled in your users configuration bundle
- From the User Profile menu (top right corner) select ‘Settings’
- Select ‘Email’ from the menu options
- Click ‘Connect’ next to the Outlook option
- If you do not see Email or Outlook go back to #1 and enable those features in your configuration bundle
- A new window will open asking you to log in to your Microsoft admin account, complete the login process
- Accept the permissions requested
- You’ve now successfully granted admin consent and Users will be able to authenticate using their Outlook credentials
Microsoft Documentation: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-user-consent?pivots=portal
Gmail
Bigtincan Cloud Connect for Gmail requests the following permissions that your organization must consent to before using the integration.
Send email on your behalf: Send email that appears to have been sent by you (i.e., from your email address)
The Bigtincan Cloud Connect for Gmail integration must be initiated by a user within the Bigtincan platform before your Google administrator will be able to grant consent.
Before launching Delegated Authentication for your users it is important to check how your Google Workspace data settings are configured. Google Workspace allows you to manage access to certain apps by blocking those apps, or marking them as trusted or limited. A trusted app has access to all Google Workspace services (OAuth scopes), including restricted services.
In Google Workspace Third-party apps that you haven't configured as trusted, limited, or blocked are considered unconfigured apps. You can control what happens when users try to sign in to unconfigured apps with their Google Account. Those permission options are:
- Allow users to access any third-party apps (default): Users can sign in with Google to any third-party app. Accessed apps can request unrestricted Google data for that user.
- Allow users to access third-party apps that only request basic info needed for Sign in with Google: Users can sign in with Google to third-party apps that request only basic profile information: the user’s Google Account name, email address, and profile picture. For more information, go to Use your Google Account to sign in to other apps or services.
- Don’t allow users to access any third-party apps: Users can't sign in with Google to any third-party apps and websites until you configure those apps and sites with an access setting. For details, go to the previous section, Manage third-party app access to Google services & add apps.
Granting admin consent for Bigtincan Cloud Connect for Gmail
If your organization has any option other than the default enabled you will need to add Bigtincan Cloud Connect for Gmail as a trusted app in Google Workspace before your users can use Delegated Authentication. The Bigtincan Cloud Connect for Gmail integration must be initiated by a user within the Bigtincan platform before your Google administrator will be able to add it as a trusted app.
- In “App access control”, click Manage Third-Party App Access.
- For Configured apps, click Add app.
- Choose OAuth App Name or Client ID (select this option to later allowlist the app from API exemption), Android, or IOS.
- Enter the app's name or client ID and click Search.
- Point to the app and click Select.
- Check the boxes for the client IDs that you want to configure and click Select.
-
Select who to configure access for:
- By default, the top organizational unit is selected. Leave this selected to set access for all users in your organization.
- To configure access for specific organizational units, click Select org units, then click + to view your organizational units. Check the desired organizational units, then click Select.
- Click Continue.
-
Choose an option:
-
Trusted—App can access all Google services (both restricted and unrestricted).
(Optional) To have the selected apps maintain API access to Google Workspace services even when those services have Context-Aware Access policies that apply to API access, select Allowlist for exemption from API access blocks in context-aware access. This option is only selectable for web, Android, or iOS apps added using OAuth client IDs. Selecting this option will not automatically exempt the app from API access blocks. You also need to exempt the app during Context-Aware Access level assignments. This allowlist applies only for the organizational units you specify in step 7. - Limited—Can access only unrestricted Google services.
-
Blocked—Can't access any Google service.
If you add an app for devices to an allowlist and also block that same app using API controls, the app is blocked. The blocking of the app using API controls overrides the placement on the allowlist.
-
Trusted—App can access all Google services (both restricted and unrestricted).
- Review settings for the new app, then click Finish.
Google Documentation: https://support.google.com/a/topic/10021546?fl=1&sjid=17362905829783541691-NC
Users
Once the ‘Delegated Email’ setting is enabled for users they will have access to connect their company email account with Bigtincan for seamless email functionality. Users can manage their email integration by accessing Settings from their profile.
- Login to your Bigtincan account
- From the User Profile menu (top right corner) select ‘Settings’
- Select ‘Email’ from the menu options
- Click ‘Connect’ next to the Outlook or Gmail option
- If you do not see Email or your preferred provider (Outlook or Gmail) reach out to your administrator for proper configuration.
- A new window will open asking you to log in to your Microsoft or Google account, complete the login process.
- Accept the permissions requested.