Skip to main content
SUBMITTED

Single portal login to access multiple customers

Related products:TimeXtender Data Integration Portal
  • August 15, 2024
  • 3 replies
  • 39 views

richard.ray_ts
Explorer

In our portal we have several customers set up, and each of them require unique email addresses.

This means that we have to ask our IT team to set up aliases for each of the customers, e.g. richard.ray.cust1@…., richard.ray@cust2@… etc

I am suggesting a single email address that can be used across customers whereby you would login as normal and then be presented with a drop down of the customers that you have access to, plus of course the top level “Parent” portal where the customers are created.

3 replies

rory.smith
TimeXtender Xpert
Forum|alt.badge.img+8
  • TimeXtender Xpert
  • August 15, 2024

Hi,

you should usually be able to do something like rory.smith+customer1@domain ,  rory.smith+customer2@domain to manage credentials from a single e-mail address.  While it may also be useful to manage multiple customer setups from one e-mail, that is of course also a potential security issue.


richard.ray_ts
Explorer

Thanks Rory, we’ve been notified of that, but our IT block these as it’s essentially spoofing.

Interested to hear your thoughts on how it would be a security issue if you’re only assigned to the customers that you should have access to? I am not proposing that you can access a customer without being explicitly added as a user under each one.


rory.smith
TimeXtender Xpert
Forum|alt.badge.img+8
  • TimeXtender Xpert
  • August 15, 2024

Hi,

well it produces a single point of failure: one account can reach multiple customers with one credential. I would not want all my customers being affected by a credential leak instead of just one. Otherwise TimeXtender would need to decouple username from UPN / e-mail. I also prefer the current setup where I log in and only see that customer, as opposed to the potential of my customer noticing all the other customers I can log in to if they are looking at my screen.

Subaddressing is described in RFC 5233 and an official part of e-mail (see: https://datatracker.ietf.org/doc/html/rfc5233). There is no spoofing involved as you are not obfuscating origin or destination - I would be interested to know of any security problems associated as it is usually useful in tracking low-effort spam origins and e-mail leak origins. "Security considerations are discussed in [RFC5228]. It is believed that this extension does not introduce any additional security concerns.” is what the RFC itself states. The RFC linked simply states what implementations should do to avoid being exploitable.