Manage Service Providers

Connect, configure, and monitor service provider integrations with wavekey continuous authentication.

Navigating to the Page

  1. Log in to wavekey. After authenticating, you'll land on the home page.
  2. Click the Settings gear icon (top-right of the home page). This icon only appears when you are logged in.
  3. On the Settings page, click the "Manage Service Providers" button.

You'll arrive at the Manage Service Providers dashboard, which displays a tile for each supported service provider.

Admin-Only Restriction
Only the tenant admin (the user whose email was provided during organisation setup) can connect, disconnect, or edit service provider integrations. Non-admin users can view connection status and configure their own per-user policy settings (continuous authentication, frequency, notifications), but the connect/disconnect/edit buttons and the "Protect sensitive actions" toggle will be disabled.

Page Overview

The page shows a card/tile for each service provider integration:

Provider Connection Method Status
Salesforce OAuth Available
Google Workspace Domain Delegation Available
Safeguard on Demand for Privileged Passwords Service API Available
HubSpot OAuth Coming Soon

A search bar at the top lets you filter tiles by provider name.

Connecting Salesforce

Requires admin permissions. Non-admin users will see the Salesforce tile but cannot connect or disconnect.
  1. Locate the Salesforce tile. If not yet connected, the status badge will show a red dot and "Disconnected".
  2. Click the green "Connect" button at the bottom of the tile.
  3. You will be redirected to Salesforce's OAuth authorization page.
  4. Sign in to your Salesforce account and authorize wavekey.
  5. After approval, you are redirected back. The tile will update to show:
    • A green "Connected" status dot
    • "OAuth • Connected" subtitle
    • The Scope row showing the date access was granted
  6. The button changes to a red "Disconnect" button.

Disconnecting Salesforce

Click the red "Disconnect" button. The OAuth token is revoked and the tile returns to a disconnected state.

Connecting Google Workspace

Requires admin permissions. Non-admin users will see the Google Workspace tile but cannot connect or edit the configuration.
  1. Locate the Google Workspace tile. If not yet connected, the status badge will show a red dot and "Disconnected".
  2. Click the green "Connect" button at the bottom of the tile.
  3. A modal dialog opens titled "Google Workspace enterprise setup". It contains:
    • Service account client ID (read-only)wavekey's service account client ID. Click "Copy" to copy it.
    • OAuth scopes (read-only) — The required OAuth scope. Click "Copy" to copy it.
    • Workspace domain — Your organization's Google Workspace domain (e.g., acme.com).
    • Admin email — The email of a Google Workspace super admin.
  4. Before saving, authorize wavekey's service account in your Google Admin Console:
    1. Go to admin.google.com → Security → Access and data control → API controls
    2. Click "Manage Domain Wide Delegation" → "Add new"
    3. Paste the Service account client ID (copied from the modal) into the Client ID field
    4. Paste the OAuth scopes into the scopes field
    5. Click "Authorize"
  5. Back in the wavekey modal, fill in your Workspace domain and Admin email, then click "Save".
  6. The tile updates to show a green "Connected" status dot and the button text changes to "Edit".

To close the modal without saving: Click "Cancel", press Escape, or click outside the modal.

Connecting Safeguard on Demand for Privileged Passwords

Requires admin permissions. Non-admin users will see the Safeguard tile but cannot connect, disconnect, or edit the configuration.

One Identity Safeguard on Demand for Privileged Passwords integration lets wavekey enforce continuous authentication for your privileged access sessions. When a user walks away from their wavekey, their active Safeguard session is terminated and they must re-authenticate.

Prerequisites

  1. Safeguard on Demand for Privileged Passwords must be provisioned. You can do this from Starling → Join One Identity Products → Safeguard on Demand.
  2. OneLogin SAML federation must be configured so that Safeguard delegates authentication to OneLogin.
  3. A dedicated service account must be created in Safeguard for wavekey to use (see below).

Creating the Service Account

wavekey needs a local Safeguard user account with the Authorizer role to manage user sessions. Follow these steps:

  1. Log in to your Safeguard on Demand for Privileged Passwords appliance as an administrator.
  2. Navigate to Administrative Tools → Users.
  3. Click "Add User" and create a new local user:
    • Name: svc_wavekey (or similar)
    • Authentication Provider: Local
    • Set a strong password and store it securely
  4. Navigate to Administrative Tools → Roles.
  5. Select the Authorizer role.
  6. Click "Members", then "Add Member", and add the svc_wavekey user.
  7. Click "Save".
Why the Authorizer role?

The Authorizer role is the only built-in Safeguard role that grants the permissions wavekey needs to manage user sessions. Other roles (Help Desk, User, etc.) do not have sufficient permissions. Do not grant full administrator access — Authorizer follows the principle of least privilege for this integration.

Connecting in wavekey

  1. Locate the Safeguard on Demand for Privileged Passwords tile on the Manage Service Providers page. If not yet connected, the status badge will show a red dot and "Disconnected".
  2. Click the green "Connect" button at the bottom of the tile.
  3. A modal dialog opens titled "Safeguard for Privileged Passwords setup". Fill in the following fields:
    • Appliance URL — The full URL of your Safeguard on Demand for Privileged Passwords instance (e.g., https://spp-1-acme.pam.cloud.oneidentity.eu).
    • Service account username — The username of the service account you created (e.g., svc_wavekey).
    • Service account password — The password for the service account.
  4. Click "Save". wavekey will validate the credentials by connecting to your Safeguard instance.
  5. If successful, the tile updates to show:
    • A green "Connected" status dot
    • "Service API • Connected" subtitle
  6. The button changes to a red "Disconnect" button.

Disconnecting Safeguard

Click the red "Disconnect" button. The stored credentials are removed and the tile returns to a disconnected state. Continuous authentication enforcement for Safeguard will stop immediately.

How Session Termination Works

When wavekey detects that a user has walked away (no ultrasonic code detected within the configured timeout):

  1. wavekey securely connects to Safeguard using the service account credentials.
  2. It looks up the target user by their email address.
  3. The user’s access is revoked via the Safeguard API, invalidating all active sessions (including browser sessions).
  4. When the user returns and completes a full re-authentication through OneLogin, their access is automatically restored.
Important
The service account must have the Authorizer role. If session termination is not working, verify that the service account has been added as a member of the Authorizer role in Safeguard.

Toggle & Setting Reference

Each connected provider tile has the following configurable settings:

Continuous Authentication

What it does Enables conditional access — wavekey will continuously verify the user's identity at the configured frequency while they are using the service provider.
Default Off
When to enable Turn this on to enforce ongoing identity checks, ensuring only the authenticated user retains access.

Scope

A read-only badge displaying when admin access was granted (e.g., "Granted 17 Feb 2026") or "Not granted" if the provider is not connected. This is informational only — not a toggle.

Authentication Frequency

What it does Controls how often wavekey re-verifies identity when continuous authentication is enabled.
Default Every 3 seconds
How to change Click the "Change" button next to the current frequency. A dropdown appears with options ranging from 3 seconds to 1 hour.
Available Intervals

3s • 5s • 10s • 15s • 30s • 1 min • 3 min • 5 min • 10 min • 15 min • 30 min • 1 hour

Notifications

What it does When enabled, sends a notification if a continuous authentication check fails.
Default On (for Salesforce)

Protect Sensitive Actions

What it does Enables browser-level protection via the wavekey Chrome extension. When on, the extension monitors sensitive actions within the service provider's web interface.
Default Off
Important This setting is configured per provider — enabling it on one provider does not affect other providers.
Requires The wavekey Chrome extension must be installed in your browser.

Extension Status Banner

When Protect sensitive actions is enabled on any provider, an extension status banner appears below the provider tiles. It shows one of three states:

State Meaning
Checking wavekey is verifying whether the Chrome extension is installed and responding.
Verified The extension was detected and confirmed active by the server. The version may also be displayed.
Not found The extension was not detected. You must install the wavekey Chrome extension for browser protection to work.

The extension check runs automatically on page load and whenever the browser tab regains focus.