Getting started
HelloID is Tools4ever’s Cloud Identity & Access Management-as-a-Service (IDaaS) platform. It has three modules:
Access Management: Directory sync, user management, SSO applications, and security & access control
Service Automation: Self service product management, task automation, and IT helpdesk delegation
Provisioning: User account lifecycle automation in your organization's systems and applications
Check your email for your HelloID URL, username, and password.
Click Go To The Portal.
Enter your username and password.
Read and accept the HelloID EULA.
You are logged into HelloID and taken to the Admin dashboard.
Before you go any further with HelloID, we strongly recommend that you change the default password for the Administrator account.
Click Administrator > Change Password.
Enter your Old Password and New Password.
Click Change Password to confirm.
The on-premises HelloID Agent comprises three Windows services that you install & run on a server within your organization's network. These services communicate with your HelloID tenant via HTTPS. This lets HelloID execute actions & PowerShell code in your network.
For more information, see Agent. To install Agent:
HelloID relies on content, scripts, and other resources across several domains. For HelloID to work correctly, you must add these domains to your firewall's whitelist.
Locate your instance's region at the bottom of the Admin dashboard. The region is listed as the last item in the page's footer.
Whitelist the following Main domains for your region.
If you have installed the on-premises Agent, you must also whitelist the following Agent domains for your region. This traffic is outbound only.
Main domains
cdn-helloid.azureedge.net
fonts.googleapis.com
cdnjs.cloudflare.com
az416426.vo.msecnd.net
storageportalwus.blob.core.windows.net
fonts.gstatic.com
kendo.cdn.telerik.com
cdn.jsdelivr.net
cdn-we-test.azureedge.net
cdn.configcat.com
provisioning-gateway-wus.helloid.cloud
helloid-provisioning.azureedge.net
dc.services.visualstudio.com
westus2.azure.elastic-cloud.com
dynamic-forms-wus-01.helloid.com
wus-identity.helloid.cloud
wus-platform.helloid.cloud
service-automation-prod-wus.helloid.cloud
new cdn.helloid.cloud (scheduled for rollout with the May release)
Agent domains
*.(customer domain as configured in HelloID).helloid.com
agent-comm-wus-01.helloid.com
provisioning-gateway-wus.helloid.cloud
service-automation-prod-wus.helloid.cloud
cdn-helloid.azureedge.net
new cdn.helloid.cloud (scheduled for rollout with the May release)
Main domains
cdn-helloid.azureedge.net
fonts.googleapis.com
cdnjs.cloudflare.com
az416426.vo.msecnd.net
storageportalwe.blob.core.windows.net
fonts.gstatic.com
kendo.cdn.telerik.com
cdn.jsdelivr.net
cdn-we-test.azureedge.net
cdn.configcat.com
provisioning-gateway-we.helloid.cloud
helloid-provisioning.azureedge.net
dc.services.visualstudio.com
westeurope.azure.elastic-cloud.com
we-identity.helloid.cloud
we-platform.helloid.cloud
service-automation-prod-we.helloid.cloud
new cdn.helloid.cloud (scheduled for rollout with the May release)
Agent domains
*.(customer domain as configured in HelloID).helloid.com
agent-comm-we-01.helloid.com
provisioning-gateway-we.helloid.cloud
service-automation-prod-we.helloid.cloud
cdn-helloid.azureedge.net
new cdn.helloid.cloud (scheduled for rollout with the May release)
Roles are containers for Rights, which control what features users can access in HelloID.
By default, the Administrator account does not have all rights—instead, you must create a custom role. To do so:
Go to Security > Roles.
Add a role called
All Rights
.Configure rights for a role, and click the All Rights button to turn on all rights toggles.
Link a role to a user to assign your Administrator account to your new All Rights role.
Log out and back in to HelloID, and you will now have access to all features.
Directory sync is how you sync users and groups from your organization's directory system into HelloID Users and Groups.
HelloID has pre-packaged support for the following directory systems:
If your directory system is not on this list, you will need to write a custom sync script. See Custom directory sync.
The first step with roles & rights is to create an All Rights
role for your Administrator account, which you should have already done. The second step is to assign users and groups to the roles they need, and if necessary, create additional custom roles.
For more information, see Roles & rights.
Portal access rules are a powerful tool to control access to HelloID and increase security. At minimum, we recommend adding a rule that enforces 2FA on all users. To do so, Add a portal access rule and configure the Two-Factor tab.
Additionally, review your Sign-on policies and customize them if needed.
If you are using Active Directory as your user directory and you already set up AD directory sync, an IdP was already created for you, to let users log into HelloID via AD. However, if you are using Azure, Google, or a custom directory system, you will need to manually add an IdP. To do so, Add an IdP.
HelloID's audit logs store long-term records about activity in your HelloID portal.
Before you can start viewing reports, you'll need to Grant access to audit logs.
We recommend making an initial pass through each Settings page, to initially configure them.
By default, your organization can access its HelloID instance at a URL like: https://companyname.helloid.com
. If you want to use a custom URL instead, follow the below instructions.
Note
Prerequisites:
A custom domain: You need to know what your custom URL will be. Typically, it will be a subdomain of your organization's domain, such as
login.companyname.com
orhelloid.companyname.com
.A certificate: Communication with HelloID is done over HTTPS. As such, you will need a PFX certificate for the domain in the URL. This can be a wildcard certificate or a domain certificate for the requested website.
Go to Company settings.
Go to the Custom Domains tab.
Enter your custom domain in the Enter Domain field, in the format
login.companyname.com
orhelloid.companyname.com
.Enable the Risk toggle.
Important
The Risk toggle indicates that you understand the certificate will not be installed until the time listed at the end of this article. Your custom domain may not be accessible in the interim.
Click Add.
You receive a CNAME record for your domain. Add it to your domain's DNS records.
Click Validate DNS.
After successful validation, upload your Certificate and enter its Password. Click Upload.
Note
You will receive Expiration notifications for this certificate.
Your custom domain is saved.
The certificate will be automatically installed at the following time:
WE server: the next Monday at 21:00 CET/CEST
WUS server:
There are several places where you can specify a custom 'from' address for emails sent by HelloID:
These 'from' fields will accept any email address using the helloid.com
domain without additional configuration. However, if you want to specify a custom 'from' address (e.g., using your organization's domain), you must follow the directions below.
Caution
These fields also accept certain Variables to let you specify a dynamic 'from' address. In this case, the 'from' address is not resolved until runtime. Emails will fail to send if the domain is not verified.
If you haven't specified any custom 'from' domains, all emails are sent by default from the Service Desk Email Address specified in Company settings.
The mail provider that HelloID uses to send emails depends on where your HelloID instance is hosted. Different providers are used by region due to privacy laws & regulations.
Region | Provider |
---|---|
West United States (WUS) | SendGrid |
West Europe (WE) | Mailjet |
Locate your instance's region at the bottom of the Admin dashboard. The region is listed as the last item in the page's footer.
Go to Settings > Company > Mail Domain.
Enter an email address using the domain you want to verify. For example,
[email protected]
.Click Add.
A 6-digit verification code is emailed to the address you provided. Enter it into the text field, and click Validate.
HelloID provides you with a set of DNS records to add to your domain. Do so, and then click Validate DNS.
The domain is verified. HelloID can now send emails from any email address belonging to this domain (you are not limited to the specific address you used to verify the domain).
Incidents in your HelloID environment are reported on the admin dashboard. These are high-priority errors and events in HelloID which need your attention. They are tagged according to which HelloID module generated them (Access Management, Service Automation, or Provisioning).
We suggest setting up email and/or webhook notifications, so you don't miss incidents when they are generated. To do so, Set up email notifications and/or Set up webhook notifications.
Your HelloID environment is now prepared. All that is left is to get started! Consider starting with:
Application single sign-on (SSO) is the core feature of HelloID's Access Management module. Your Users log in just once, and can seamlessly access all their applications with one click (see Applications for users). | |
A product is something that Users can request. A few common examples are:
| |
Scheduled tasks are Tasks that run on a regular, recurring basis. Both Pre-defined tasks and PowerShell tasks can be scheduled. | |
Delegated forms let you delegate traditional helpdesk tasks to users within your organization (e.g., enable/disable user accounts, update user attributes, create groups, etc.), while hiding complexity and minimizing unnecessary permissions. | |
HelloID Provisioning automates your organization's user account lifecycle. It connects a single source of truth for employee data—typically a human resources database—to a myriad of target systems such as Active Directory or Google Workspace. To get started with Provisioning, follow the Provisioning workflow. |
Many resources are available to help you, including:
Variables: can be used in many objects throughout HelloID
GitHub resources: open-source resources for use with HelloID
The HelloID REST API