How do we onboard employees to an IT platform and how do we keep them in sync? This is a common questions for every corporate IT project. However, if you are about to launch an internal communications app - user management will be one of your key challenges. Why? Because this platform is one of the few that is truly targeting all employees and this creates special challenges:

  • Parts of your target audiences might not have a company email address and may not be listed at a user repository such as Active Directory
  • Staff turnover of e.g. contractual and seasonal workers is often high and leads to an continuous high number of on- and off-boarding events
  • There is usually no specific user training possible because of cost and scale 
  • Most of our customers also target private devices (BYOD) that are not managed by company IT

To master user management, you need to think about two main questions: 

  • User onboarding: how do users log in - for the first time and afterwards? 
  • User sync: how do we make sure that only active employees have access?

 

1. User Onboarding

After your employees download the app they will have to log in to the protected area of your Staffbase employee app. There are two main reasons for having a protected area: 1) to make sure that internal content stays internal (“this user is our employee”). 2) to be able to identify the user to provide individualized content and services (“this user is John Doe”).

 

Decision tree: whats the best user onboarding method for your employee app? 

DesicionTree.png

 

 1A  Corporate email with domain bonding

Your corporate email domains (@acme.com) can be connected with Staffbase (domain bonding). In doing so, employees with an email address (john.doe@acme.com) can sign-up for the employee app in self-service. Sign-up flow for corporate email: 

 

  1. Employee downloads the employee app.
  2. Chooses the option “I have a company email”
  3. Enters the email address
  4. If the address fits one of the known email domains Staffbase will send a confirmation link to the employee’s inbox.
  5. Employee clicks on the confirmation link.
  6. Employee finishes sign-up by entering a self-chosen password, first name and last name.

Please note: by choosing this authentication option everyone with an email address from your email domain will be able to enter the employee app.

 

 1B  Email invitation

Sending email invitations is the best option if only a selected group of people should be invited to the app or if employees do not have a corporate email but you know their (private) email address. Sign-up flow for email invitation: 

  1. You create users with an email address in Staffbase. This process can be automated (see User management and synchronization)
  2. Employee receives an email with a download link for the app as well as a confirmation link.
  3. Employee downloads the employee app.
  4. Employee clicks the confirmation link in the invitation email or manually enters the confirmation code into the app.
  1. Employee finishes sign-up by entering a self-chosen password, first name and last name.

 

 1C  One-time Access codes

If you do not know the email addresses of your employees, one-time access codes are the easiest option to get them on board. Staffbase generates access codes for each user individually, which allows you to clearly identify users later on. The codes are valid for one sign-up only. During the sign- up process users are asked for a (private) email address and a personal password to create the account. Sign-up flow for one-time access codes:

  1. You create access codes in Staffbase and optionally attach information like name and department to them. This process can be automated (see User management and synchronization)
  2. Staffbase supports you with printing the access codes or exporting them via CSV. Usually we see access codes being given out by local managers (e.g. store managers, construction site managers) to their teams. Others print the access codes onto the monthly payslip.
  3. Employee downloads the internal communications app.
  4. Employee chooses “I have an access code” as authentication option and enters the code.
  5. Employee finishes sign-up by entering a (private) email address, self-chosen password, first name and last name.

 

 1D  Permanent access codes

If you do not know the email addresses of your employees and also do not want them to enter a private email address during sign up, permanent access codes are the way to go. Staffbase generates access codes for each user individually, which allows you to clearly identify users later on. The codes are valid an unlimited time and for an unlimited number of logins. Staffbase does not know an email address for employees so there is no option to reset the code. Due to the limited security level of this approach it is recommended for non-critical content only (e.g. digital employee newsletter). Combined with IT support from your side it is possible to increase the security level by establishing regular access code changes as well as access code reset processes. Sign-up flow for permanent access codes:

  1. You create access codes in Staffbase and optionally attach information like name and department to them. This process can be automated (see User management and synchronization)
  2. Staffbase supports you with printing the access codes or exporting them via CSV. Usually we see access codes being given out by local managers (e.g. store managers, construction site managers) to their teams. Others print the access codes onto the monthly payslip.
  3. Employee downloads the employee app.
  4. Employee chooses “I have an access code” as authentication option and enters the code.
  5. Employee is logged in.

 

 1E  Custom secrets

In many companies there already exist secrets that can be used to authenticate an employee. They can be used to set up a custom login page for your employee app. Examples include:

  • Combination of employee ID and last name (use this only for non-critical use cases with a low security level like the employee magazine)
  • Custom access code that gets defined by your IT and cannot be guessed (random key with at least 6 characters). This can be printed onto the payslip and can be used for login. Users do not need a private email or a custom password with this method.
  • Same company-wide access code for all employees. This is the lowest security level and does not provide the chance to identify and remove individual users. If you look for the easiest way to have at least some level of protection for your non-critical content (e.g. employee magazine) that might be an option.

 

 1F  Single-Sign On

Single-Sign On means to use an authentication method provided by your IT to let users login with their existing credentials. The user experience in the employee app can be compared to the popular “Login with Facebook” buttons in consumer apps. In your employee app this button says “Login with your Acme Corp. account”. It opens a popup which leads directly to your systems where users login. Using this method Staffbase never sees the login credentials from your employees. It’s also the most convenient option to onboard employees who already have logins to other company systems. Supported scenarios:

  • Use your existing identity provider for the login. Especially Microsoft ADFS is widely used and available in many organizations.
  • Create your own identity provider for the employee app. That makes sense if the process to onboard your employees is highly specific and involves integration with other systems (e.g. your HR system). If many of your employees do not have an email address you can either use our built-in options for this scenario ( One-time Access codes) or create your own sign-up flow. The main advantages of this method are flexibility and data protection (Staffbase will need an identifier for each employee only, no names or other personal information is required if you handle user management on your side).

Supported standards:

  • OpenID: That’s a widely used authentication standard supported by many user management systems. As OpenID components are also available for many programming languages it’s the best method of choice if you want to develop your own authentication flow for the employee app.
  • SAML 2.0: That’s another widely used standard. The most frequent use case for SAML 2.0 is to use your Microsoft ADFS as an authentication service. This component is available in many companies.

2. User Management

Your user base needs to be updated to reflect your current employee base for two reasons: 1) create, update and remove user accounts of active users to reflect changes in your employee base and especially make sure that former employees can not access the app anymore. 2) create, update and remove data on all your employees if you use the employee directory in your app (this applies for employees not using the app as well).

 

Decision tree: whats the best user management method for your employee app?
 

      DesicionTree_Part2.png

 

 2A  Manual user management

You can add, edit and remove users from within your Staffbase admin area. There is a change log for all user-related activities. As soon as you remove a user from Staffbase they’ll lose access to their app.

 

 2B  User groups

User groups are the best way to target content to specific target groups. While you also can assign individual users to content in Staffbase, using groups for this gives you one single place to manage memberships and the option to re-use the group. There are two different types of groups:

  • Standard groups: People get directly added or removed to this group. (Example: Group “Berlin office” with members Paul, Petra and Mark)

  • Conditional groups: This group gets created automatically based on users’ attributes (“tags”). Tags can be combined with and operations. Tags can only be created via CSV, AD or REST API ( see following chapters). (Example: Group “Germany” including all employees with tag “Berlin”, “Hamburg” or “Chemnitz”.)

 

 2C  CSV synchronization

A CSV file (comma-separated values) can be exported from many systems including HR systems and directories. In Staffbase you can upload the file and match its columns with the available profile fields. You’ll get a preview of the upcoming changes before performing the synchronization.

 

The CSV synchronization expects a full list of all your current users. It will identify who has to be added, removed or updated based on this full list. There’s also the option to automatically trigger the CSV synchronization via our API or via a SFTP transaction.

 

Required fields
  • Unique ID (preferably an employee ID, not an email address as this can be subject of change)
Strongly suggested fields
  • Email address
  • First Name
  • Last Name
Optional fields
  • Department
  • Location
  • Job Title
  • Phone Number
  • Tags
  • Profile image url
  • Custom fields like LinkedIn profile, specific skills, languages, certifications

 

 2D  Active Directory / LDAP

Staffbase provides a LDAP connector that syncs your employee data with your Active Directory or other LDAP directories. The connector uses an encrypted and password-protected access method (LDAPS). To make this work, your Active Directory hast to provide an endpoint which is available to the Internet. If your current Active Directory is hosted in-house and not accessible from the outside world you might consider using Microsoft’s Azure AD Connect service to provide the relevant employee data for Staffbase. Required information for the LDAP connector: 

  • Data structure: Unique ID (preferably an employee ID, not an email address as this can be subject change), Optional: profile data (name, location...), Optional: group memberships
  • LDAP endpoint and authentication details

 

 2E  Custom solutions (REST API)

Staffbase provides a REST-based API. Using the API you can trigger all user-related settings including create/edit/remove. It provides a maximum of flexibility to create custom solutions.

 

 

Read more: The Top 10 IT Questions About The Staffbase Employee App

 

 

Employee Engagement-App Free Demo

 

Written by Martin Böhringer

Martin is the CEO and co-founder of Staffbase. He is passionate about helping organizations interact with their employees in a more direct and meaningful way. He is an intranet and communication expert who did multiple years of research in the field (and holds a PhD). After his research career he has been active as an entrepreneur, leading a Forrester "Pioneer Vendor" cloud product before co-founding Staffbase.