User Guide

December 2024

CIAM overview

Centralized Identification and Access Management (CIAM) is a new update that provides a centralized and consistent user management experience across all Geotab platforms. Instead of users having to create accounts and sign in separately to each account, customers are able to access all Geotab platforms as one single user. This change simplifies user management while creating a more seamless and secure experience for customers.

CIAM includes:

1. Secure and seamless access to Geotab applications, services, and resources.
2. Simple and streamlined user authentication process.
3. Consistent login experience across all Geotab applications.
4. Improved efficiencies in user identity management.

Creating a new user

The Administrator must create a new user in MyGeotab.

1. In MyGeotab, create a new username by navigating to the MyGeotab main menu, People > Users.
2. Click the Add button.
3. Add the new users by using the following:
4. 1. Real email address – This ensures a smooth and secure experience across multiple databases.
   2. Non-email address – For non-email users, the Admin will still be required to create a password.
4. Ensure that the new username adheres to the following validation criteria:
5. 1. Must be between 4 and 60 characters.
   2. No spaces between characters.
   3. Permitted symbols include: @ ! $ % ^ & * + = - _ ~ (not required).
   4. The username cannot be “none”.
5. Once the user has been created, no further edits or changes can be made.

6. ✱ NOTE: Username edit access is temporarily unavailable and will be reintroduced in 2025.

6. The new user receives an email notification with a link to set up their password.
7. New users click Set my password in the email to create their password.

✱ NOTE: They will have 7 days to create their password before the link expires. If the link expires, the user must reach out to their Administrator, who can resend the email notification.

Tracking statuses of each user

The Administrator can track each user's status in MyGeotab. The statuses are as follows:

1. Pending: Waiting to be created with the account user.
2. Expired: The 7-day deadline has been reached. The Administrator will need to resend the email.
3. No Status: The password was successfully created.

Linking users to multiple databases

The user will receive an email providing access to the database. To link a user to a database, the user clicks Join to access the database with their current username and password.

Non-real email addresses cannot be used across multiple databases. Since users with non-real email addresses are unable to receive email notifications, they will not be able to link their accounts to multiple databases. If a user has a fake email address and wants to use CIAM to link to multiple databases, they need to switch to a real email address. The only exception is the "Service Account" Authentication Type for applicable users.

Logging into multiple databases

Users with access to multiple databases are required to provide the name of the database they would like to access upon login. Users are not required to identify their username and password when logging into their database, or navigating between databases.

CIAM API updates

1. New Authentication Type for API Users: A new Authentication Type, Service Account, is available. API and Integration users will need to update their Authentication Type to “Service Account”. The user interface is not available for API Service Account users.
2. Updated Audit Logs: Users only need to authenticate once. After that, the system will create an audit for your initial User Login. The system will seamlessly access other databases without additional login prompts or audit entries. Same goes for User Logout events.
3. Account Policy Settings: The User Account Policy settings have been removed. MyAdmin will update their user policy to match MyGeotab for a consistent platform experience.
4. Deep Linking as Single Sign On: Customers currently using deep linking as a Single Sign On will not be included in the CIAM rollout at this time.
5. Removing Numbers from URLs: Users with a number in their URL (for example, my12.geotab.com) may receive an error on the login page. Remove the number from your URL to mitigate this error.

Frequently Asked Questions

Q: What happens if a current user has a fake email address and wants to use CIAM to link to multiple databases?

A: You cannot use a fake email. The user would have to switch to a real email address to be able to access multiple databases. The only exception to this is "Service Account" Authentication Type for applicable users.

Q: I currently use Deep Linking to access Geotab Applications. How does CIAM impact this?

A: CIAM currently does not support Deeplink based authentication, so your database would be excluded from CIAM rollout. More information will be provided in 2025.

Q: What if my current username does not match the new username validation criteria?

A: You will not be impacted immediately, and the login will still work. However, updating the username is highly recommended.

Q: What happens if the username I want to create already exists?

A: The system will show a message when the username already exists. You will be required to use a different, unique username that is not already in the system.

Q: I am an API user. Should I update my Authentication Type?

A: It is recommended to update your Authentication type to "Service Account". This aligns with future plans to distinctly identify API-only users and provide them with world-class authentication and authorization flows in 2025 and onwards.

Q: Why can I not see the User Account Policy setting in MyGeotab?

A: You are not able to see the User Account Policy because you are using the default settings provided by the system.

Q: Is Geotab implementing OAuth 2.0?

A: Yes. The new authentication flow is based on the OAuth 2.0 framework currently being released to real users with this migration. Next year, API users will be onboarded.

Q: Will my login experience be significantly impacted when my user is migrated to CIAM?

A: Geotab has tried their best to design the software in a way that users should not notice any significant change when they are migrated.

Q: When the activation is pending, do the Admins have the ability to reach out to specific users and let them know they still have not completed the account set-up?

A: Yes, the admin can reach out directly to the individual users when the activation is pending by reviewing each user's status.

Q: As a MyAdmin User, why is my Authentication Type converted to Basic Authentication?

A: Previously, MyGeotab managed user credentials in two ways: Basic Authentication and MyAdmin. CIAM centralized authentication, eliminating the need for separate systems. All users are now authenticated through CIAM, using “Basic Authentication”. The “MyAdmin (Reseller Support)” authentication type will remain visible in the dropdown in MyGeotab until all users are migrated to CIAM.

Q: As a MyAdmin User, my Authentication type was changed to Basic Authentication in MyGeotab, so does that impact my access to MyAdmin?

A: You should still have proper access to MyAdmin as well.

Q: Which types of users will be migrated in the initial rollout of CIAM?

A: We will migrate Basic authentication users and MyAdmin users, while SAML users will stay in MyGeotab until a later time. Service Account users will also stay in Geotab for now.