Skip to main content

HelloID

Getting started

HelloID is Tools4ever’s Cloud Identity & Access Management-as-a-Service (IDaaS) platform. It has three modules:

  • Access Management: Directory sync, user management, SSO applications, and security & access control

  • Service Automation: Self service product management, task automation, and IT helpdesk delegation

  • Provisioning: User account lifecycle automation in your organization's systems and applications

Initial login

  1. Check your email for your HelloID URL, username, and password.

    2022-12-05_11-20-33.jpg

  2. Click Go To The Portal.

  3. Enter your username and password.

    2022-12-07_10-57-39.jpg

  4. Read and accept the HelloID EULA.

    2022-12-07_10-50-51.jpg

  5. You are logged into HelloID and taken to the Admin dashboard.

    2022-12-07_10-51-21.jpg

Change the default admin password

Before you go any further with HelloID, we strongly recommend that you change the default password for the Administrator account.

  1. Click Administrator > Change Password.

    2022-12-07_10-54-01.jpg

  2. Enter your Old Password and New Password.

    2022-12-07_11-04-18.jpg

  3. Click Change Password to confirm.

Install Agent

2022-12-08_16-08-05.jpg

The on-premises HelloID Agent comprises three Windows services that you install & run on a server within your organization's network. These services communicate with your HelloID tenant via HTTPS. This lets HelloID execute actions & PowerShell code in your network.

For more information, see Agent. To install Agent:

Whitelist domains

HelloID relies on content, scripts, and other resources across several domains. For HelloID to work correctly, you must add these domains to your firewall's whitelist.

  1. Locate your instance's region at the bottom of the Admin dashboard. The region is listed as the last item in the page's footer.

    2022-12-07_15-32-26.jpg

  2. Whitelist the following Main domains for your region.

  3. If you have installed the on-premises Agent, you must also whitelist the following Agent domains for your region. This traffic is outbound only.

West US

Main domains

  • cdn-helloid.azureedge.net

  • fonts.googleapis.com

  • cdnjs.cloudflare.com

  • az416426.vo.msecnd.net

  • storageportalwus.blob.core.windows.net

  • fonts.gstatic.com

  • kendo.cdn.telerik.com

  • cdn.jsdelivr.net

  • polyfill.io

  • cdn-we-test.azureedge.net

  • cdn.configcat.com

  • provisioning-gateway-wus.helloid.cloud

  • helloid-provisioning.azureedge.net

  • dc.services.visualstudio.com

  • westus2.azure.elastic-cloud.com

  • dynamic-forms-wus-01.helloid.com

  • wus-identity.helloid.cloud

  • wus-platform.helloid.cloud

  • service-automation-prod-wus.helloid.cloud

Agent domains

  • *.(customer domain as configured in HelloID).helloid.com

  • agent-comm-wus-01.helloid.com

  • provisioning-gateway-wus.helloid.cloud

  • service-automation-prod-wus.helloid.cloud

  • cdn-helloid.azureedge.net

West Europe

Main domains

  • cdn-helloid.azureedge.net

  • fonts.googleapis.com

  • cdnjs.cloudflare.com

  • az416426.vo.msecnd.net

  • storageportalwe.blob.core.windows.net

  • fonts.gstatic.com

  • kendo.cdn.telerik.com

  • cdn.jsdelivr.net

  • polyfill.io

  • cdn-we-test.azureedge.net

  • cdn.configcat.com

  • provisioning-gateway-we.helloid.cloud

  • helloid-provisioning.azureedge.net

  • dc.services.visualstudio.com

  • westeurope.azure.elastic-cloud.com

  • we-identity.helloid.cloud

  • we-platform.helloid.cloud

  • service-automation-prod-we.helloid.cloud

Agent domains

  • *.(customer domain as configured in HelloID).helloid.com

  • agent-comm-we-01.helloid.com

  • provisioning-gateway-we.helloid.cloud

  • service-automation-prod-we.helloid.cloud

  • cdn-helloid.azureedge.net

Add an "All Rights" role for your Administrator account

Roles are containers for Rights, which control what features users can access in HelloID.

By default, the Administrator account does not have all rights—instead, you must create a custom role. To do so:

  1. Go to Security > Roles.

    2022-12-08_13-01-24.jpg

  2. Add a role called All Rights.

    2022-12-08_13-09-54.jpg

  3. Configure rights for a role, and click the All Rights button to turn on all rights toggles.

    2022-12-08_13-09-21.jpg

  4. Assign a user to a role to assign your Administrator account to your new All Rights role.

    2022-12-08_13-10-30.jpg

  5. Log out and back in to HelloID, and you will now have access to all features.

Set up directory sync

Directory sync is how you sync users and groups from your organization's directory system into HelloID Users and Groups.

HelloID has pre-packaged support for the following directory systems:

If your directory system is not on this list, you will need to write a custom sync script. See Custom directory sync.

Set up roles & rights

2022-12-08_16-09-07.jpg

The first step with roles & rights is to create an All Rights role for your Administrator account, which you should have already done. The second step is to assign users and groups to the roles they need, and if necessary, create additional custom roles.

For more information, see Roles & rights.

Set up 2FA and other access rules

2022-10-21_13-07-55.jpg

Portal access rules are a powerful tool to control access to HelloID and increase security. At minimum, we recommend adding a rule that enforces 2FA on all users. To do so, Add a portal access rule and configure the Two-Factor tab.

Additionally, review your Sign-on policies and customize them if needed.

Add your first identity provider (IdP)

2022-12-08_16-10-40.jpg

If you are using Active Directory as your user directory and you already set up AD directory sync, an IdP was already created for you, to let users log into HelloID via AD. However, if you are using Azure, Google, or a custom directory system, you will need to manually add an IdP. To do so, Add an IdP.

Set up audit logs (Elastic)

HelloID's audit logs store long-term records about activity in your HelloID portal.

2022-08-19_13-02-05.jpg

Before you can start viewing reports, you'll need to Grant access to audit logs.

Customize settings

2022-12-08_16-11-29.jpg

We recommend making an initial pass through each Settings page, to initially configure them.

Customize your HelloID URL

By default, your organization can access its HelloID instance at a URL like: https://companyname.helloid.com. If you want to use a custom URL instead, follow the below instructions.

Prerequisites

  • A custom domain: You need to know what your custom URL will be. Typically, it will be a subdomain of your organization's domain, such as login.companyname.com or helloid.companyname.com.

  • A certificate: Communication with HelloID is done over HTTPS. As such, you will need a PFX certificate for the domain in the URL. This can be a wildcard certificate or a domain certificate for the requested website.

  1. Go to Company settings.

  2. Go to the Custom Domains tab.

    2022-11-30_15-26-59.jpg

  3. Enter your custom domain in the Enter Domain field, in the format login.companyname.com or helloid.companyname.com.

  4. Enable the Risk toggle.

    Important

    The Risk toggle indicates that you understand the certificate will not be installed until the time listed at the end of this article. Your custom domain may not be accessible in the interim.

  5. Click Add.

    5.png

  6. You receive a CNAME record for your domain. Add it to your domain's DNS records.

    6.png

  7. Click Validate DNS.

  8. After successful validation, upload your Certificate and enter its Password. Click Upload.

    8.png

    Note

    You will receive Certificate expiration notifications for this certificate.

Your custom domain is saved.

result.png

The certificate will be automatically installed at the following time:

  • WE server: the next Monday at 21:00 CET/CEST

  • WUS server:

Configure a custom 'from' address for emails

There are two places where you can specify a custom 'from' address for emails sent by HelloID:

These 'from' fields will accept any email address using the helloid.com domain without additional configuration. However, if you want to specify a custom 'from' address (e.g., using your organization's domain), you must follow the directions below.

Caution

These fields also accept certain Variables to let you specify a dynamic 'from' address. In this case, the 'from' address is not resolved until runtime. Emails will fail to send if the domain is not verified.

If you haven't specified any custom 'from' domains, all emails are sent by default from the Service Desk Email Address specified in Company settings.

The mail provider that HelloID uses to send emails depends on where your HelloID instance is hosted. Different providers are used by region due to privacy laws & regulations.

Region

Provider

West United States (WUS)

SendGrid

West Europe (WE)

Mailjet

  1. Locate your instance's region at the bottom of the Admin dashboard. The region is listed as the last item in the page's footer.

    2022-12-07_15-32-26.jpg

  2. Go to Settings > Company > Mail Domain.

  3. Enter an email address using the domain you want to verify. For example, [email protected].

    2.png

  4. Click Add.

  5. A 6-digit verification code is emailed to the address you provided. Enter it into the text field, and click Validate.

    4.png

  6. HelloID provides you with a set of DNS records to add to your domain. Do so, and then click Validate DNS.

    5.png

  7. The domain is verified. HelloID can now send emails from any email address belonging to this domain (you are not limited to the specific address you used to verify the domain).

    6.png

Set up incident notifications

Incidents in your HelloID environment are reported on the admin dashboard. These are high-priority errors and events in HelloID which need your attention. They are tagged according to which HelloID module generated them (Access Management, Service Automation, or Provisioning).

2022-11-29_15-34-32.jpg

We suggest setting up email and/or webhook notifications, so you don't miss incidents when they are generated. To do so, Set up email notifications for incidents and/or Set up webhook notifications for incidents.

Start using HelloID

2022-12-08_16-13-04.jpg

Your HelloID environment is now prepared. All that is left is to get started! Consider starting with:

Applications

Application single sign-on (SSO) is the core feature of HelloID's Access Management module. Your Users log in just once, and can seamlessly access all their applications with one click (see Applications for users).

Products

A product is something that Users can request. A few common examples are:

  • Desktop or mobile software (including SSO Applications in HelloID)

  • Access to file shares or folders on your network

  • Physical items such as a cellphone or a laptop

Scheduled tasks

Scheduled tasks are Tasks that run on a regular, recurring basis. Both Pre-defined tasks and PowerShell tasks can be scheduled.

Delegated forms

Delegated forms let you delegate traditional helpdesk tasks to users within your organization (e.g., enable/disable user accounts, update user attributes, create groups, etc.), while hiding complexity and minimizing unnecessary permissions.

Provisioning

HelloID Provisioning automates your organization's user account lifecycle. It connects a single source of truth for employee data—typically a human resources database—to a myriad of target systems such as Active Directory or Google Workspace.

To get started with Provisioning, follow the Provisioning workflow.

Many resources are available to help you, including:

In this section: