Manage Service Providers
Connect, configure, and monitor service provider integrations with wavekey continuous authentication.
Navigating to the Page
- Log in to wavekey. After authenticating, you'll land on the home page.
- Click the Settings gear icon (top-right of the home page). This icon only appears when you are logged in.
- On the Settings page, click the "Manage Service Providers" button.
You'll arrive at the Manage Service Providers dashboard, which displays a tile for each supported service provider.
Page Overview
The page shows a card/tile for each service provider integration:
| Provider | Connection Method | Status |
|---|---|---|
| Salesforce | OAuth | Available |
| Google Workspace | Domain Delegation | Available |
| Safeguard on Demand for Privileged Passwords | Service API | Available |
| HubSpot | OAuth | Coming Soon |
A search bar at the top lets you filter tiles by provider name.
Connecting Salesforce
- Locate the Salesforce tile. If not yet connected, the status badge will show a red dot and "Disconnected".
- Click the green "Connect" button at the bottom of the tile.
- You will be redirected to Salesforce's OAuth authorization page.
- Sign in to your Salesforce account and authorize wavekey.
- After approval, you are redirected back. The tile will update to show:
- A green "Connected" status dot
- "OAuth • Connected" subtitle
- The Scope row showing the date access was granted
- The button changes to a red "Disconnect" button.
Disconnecting Salesforce
Click the red "Disconnect" button. The OAuth token is revoked and the tile returns to a disconnected state.
Connecting Google Workspace
- Locate the Google Workspace tile. If not yet connected, the status badge will show a red dot and "Disconnected".
- Click the green "Connect" button at the bottom of the tile.
- A modal dialog opens titled "Google Workspace enterprise setup". It contains:
- Service account client ID (read-only) — wavekey's service account client ID. Click "Copy" to copy it.
- OAuth scopes (read-only) — The required OAuth scope. Click "Copy" to copy it.
- Workspace domain — Your organization's Google Workspace domain (e.g.,
acme.com). - Admin email — The email of a Google Workspace super admin.
- Before saving, authorize wavekey's service account in
your Google Admin
Console:
- Go to admin.google.com → Security → Access and data control → API controls
- Click "Manage Domain Wide Delegation" → "Add new"
- Paste the Service account client ID (copied from the modal) into the Client ID field
- Paste the OAuth scopes into the scopes field
- Click "Authorize"
- Back in the wavekey modal, fill in your Workspace domain and Admin email, then click "Save".
- The tile updates to show a green "Connected" status dot and the button text changes to "Edit".
To close the modal without saving: Click "Cancel", press Escape, or click outside the modal.
Connecting Safeguard on Demand for Privileged Passwords
One Identity Safeguard on Demand for Privileged Passwords integration lets wavekey enforce continuous authentication for your privileged access sessions. When a user walks away from their wavekey, their active Safeguard session is terminated and they must re-authenticate.
Prerequisites
- Safeguard on Demand for Privileged Passwords must be provisioned. You can do this from Starling → Join One Identity Products → Safeguard on Demand.
- OneLogin SAML federation must be configured so that Safeguard delegates authentication to OneLogin.
- A dedicated service account must be created in Safeguard for wavekey to use (see below).
Creating the Service Account
wavekey needs a local Safeguard user account with the Authorizer role to manage user sessions. Follow these steps:
- Log in to your Safeguard on Demand for Privileged Passwords appliance as an administrator.
- Navigate to Administrative Tools → Users.
- Click "Add User" and create a new local user:
- Name:
svc_wavekey(or similar) - Authentication Provider: Local
- Set a strong password and store it securely
- Name:
- Navigate to Administrative Tools → Roles.
- Select the Authorizer role.
- Click "Members", then "Add Member", and add the
svc_wavekeyuser. - Click "Save".
The Authorizer role is the only built-in Safeguard role that grants the permissions wavekey needs to manage user sessions. Other roles (Help Desk, User, etc.) do not have sufficient permissions. Do not grant full administrator access — Authorizer follows the principle of least privilege for this integration.
Connecting in wavekey
- Locate the Safeguard on Demand for Privileged Passwords tile on the Manage Service Providers page. If not yet connected, the status badge will show a red dot and "Disconnected".
- Click the green "Connect" button at the bottom of the tile.
- A modal dialog opens titled "Safeguard for Privileged Passwords setup".
Fill in the following fields:
- Appliance URL — The full URL of your Safeguard on Demand for
Privileged Passwords
instance
(e.g.,
https://spp-1-acme.pam.cloud.oneidentity.eu). - Service account username — The username of the service
account you created (e.g.,
svc_wavekey). - Service account password — The password for the service account.
- Appliance URL — The full URL of your Safeguard on Demand for
Privileged Passwords
instance
(e.g.,
- Click "Save". wavekey will validate the credentials by connecting to your Safeguard instance.
- If successful, the tile updates to show:
- A green "Connected" status dot
- "Service API • Connected" subtitle
- The button changes to a red "Disconnect" button.
Disconnecting Safeguard
Click the red "Disconnect" button. The stored credentials are removed and the tile returns to a disconnected state. Continuous authentication enforcement for Safeguard will stop immediately.
How Session Termination Works
When wavekey detects that a user has walked away (no ultrasonic code detected within the configured timeout):
- wavekey securely connects to Safeguard using the service account credentials.
- It looks up the target user by their email address.
- The user’s access is revoked via the Safeguard API, invalidating all active sessions (including browser sessions).
- When the user returns and completes a full re-authentication through OneLogin, their access is automatically restored.
Toggle & Setting Reference
Each connected provider tile has the following configurable settings:
Continuous Authentication
| What it does | Enables conditional access — wavekey will continuously verify the user's identity at the configured frequency while they are using the service provider. |
| Default | Off |
| When to enable | Turn this on to enforce ongoing identity checks, ensuring only the authenticated user retains access. |
Scope
A read-only badge displaying when admin access was granted (e.g., "Granted 17 Feb 2026") or "Not granted" if the provider is not connected. This is informational only — not a toggle.
Authentication Frequency
| What it does | Controls how often wavekey re-verifies identity when continuous authentication is enabled. |
| Default | Every 3 seconds |
| How to change | Click the "Change" button next to the current frequency. A dropdown appears with options ranging from 3 seconds to 1 hour. |
3s • 5s • 10s • 15s • 30s • 1 min • 3 min • 5 min • 10 min • 15 min • 30 min • 1 hour
Notifications
| What it does | When enabled, sends a notification if a continuous authentication check fails. |
| Default | On (for Salesforce) |
Protect Sensitive Actions
| What it does | Enables browser-level protection via the wavekey Chrome extension. When on, the extension monitors sensitive actions within the service provider's web interface. |
| Default | Off |
| Important | This setting is configured per provider — enabling it on one provider does not affect other providers. |
| Requires | The wavekey Chrome extension must be installed in your browser. |
Extension Status Banner
When Protect sensitive actions is enabled on any provider, an extension status banner appears below the provider tiles. It shows one of three states:
| State | Meaning |
|---|---|
| Checking | wavekey is verifying whether the Chrome extension is installed and responding. |
| Verified | The extension was detected and confirmed active by the server. The version may also be displayed. |
| Not found | The extension was not detected. You must install the wavekey Chrome extension for browser protection to work. |
The extension check runs automatically on page load and whenever the browser tab regains focus.