Authentication Documentation for Abacus.AI

• Types of Users in Abacus.AI
      - Platform Admins
      - Chat Admins
      - Chat-Only Users
• Types of Logins in Abacus.AI
      - Login Methods
      - SSO with Username/Password
      - Technical Details
• Controlling Access in Abacus.AI
      - Managing Permissions
      - Platform Permissions
      - External Chat LLM Permissions
      - Domain Signup
• Managing Multiple Organizations
      - Multi-Org Management
      - User Roles Across Orgs
• Troubleshooting and FAQ for Authentication
      - Using Both SSO and Passwords
      - Restricting Login Methods

Types of Users in Abacus.AI

Abacus.AI supports three types of users, each with specific roles and permissions:

• Platform Admins:

  Have full administrative access to the Abacus.AI platform and external chat functionalities.

• Chat Admins (Platform Users):

  Have administrative privileges over the external chat functionalities and can view the Abacus.AI platform. They do not have full platform permissions but are platform users by default.

• Chat-Only Users:

  Have the lowest level of permissions and are restricted to interacting only with the Abacus.AI Chat LLM. The domain for external chat users is of the type <tenant>.abacus.ai/chatllm.

A user's role and permissions are defined within the context of a specific organization. See Managing Multiple Organizations for more details.

Types of Logins in Abacus.AI

Abacus.AI supports multiple login methods to accommodate various organizational needs:

Login Methods

1. Username + Password
2. Single Sign-On (SSO)
       - Google (Enterprise and Self-Service)
       - Microsoft (Enterprise and Self-Service)
       - Okta (Enterprise Only)
       - GitHub (Enterprise Only)
       - Apple (Self-Service Only for ChatLLM)

Setting Up SSO and Username/Password

• Users can set up both SSO and username/password logins.
• Platform Admins can restrict login methods to enforce security policies.

Technical Details

• SSO Protocols:
      Abacus.AI uses OpenID Connect (OIDC) for Okta and Microsoft.

• Setup Guides:
      - Okta Setup
      - Microsoft Entra ID Setup

Controlling Access in Abacus.AI

Platform Admins have the ability to manage permissions both on the platform and within the external chat LLM.

Managing Permissions

Platform Permissions:

• Platform Admins can manage user roles and permissions within the Abacus.AI platform.

External Chat LLM Permissions:

• Groups and Bots: External Admins can create and manage groups and bots, assigning specific permissions to each.
• Active Directory Integration: Permissions can be controlled using Microsoft Active Directory (AD).

Domain Signup

Platform Admins can enable domain signup, allowing anyone within the organization to sign up using their company email.

Managing Multiple Organizations

Abacus.AI allows Platform Admins to manage multiple organizations and assign roles across them.

Multi-Org Management

• Platform Admins can manage multiple organizations within Abacus.AI.
• Users can be added to multiple organizations, with specific roles and permissions for each.

User Roles Across Orgs

Roles are scoped to organizations. For example, a user can be a platform user for Organization X and a chat-only user for Organization Y. This means that a user who can access the platform will only see information pertaining to the organizations they have roles in.

Troubleshooting and FAQ for Authentication

Using Both SSO and Passwords

• How can users set up and use both SSO and passwords?
      Users can set up and use both SSO and passwords by default if one of the methods is enabled.

Restricting Login Methods

• How can my team restrict access to the SSO option that we have enabled?
      Please contact the Abacus.AI team at support@abacus.ai and we will set up a time with you to remove alternative login methods as well as disable password login during a time that will be least disruptive to your team.