This article details how to log in to Messages XR Enterprise using the connected SSO experience, including claiming a new account from a welcome email and linking an existing account for the first time.
Connected SSO login experience
This article references the Messages XR Enterprise Connected SSO experience.
- Not sure which one you have? See a side-by-side view in "Single sign-on is here!"
- Login help for the legacy login experience is available in "Authentication in Messages XR Enterprise: The legacy login experience."
💡Quick answers
- How does a new user get access for the first time? Selecting the button in the welcome email opens the login form to claim the account; a welcome email is the only way for a new account to gain initial access.
- How does an existing user move to the connected SSO experience? Entering the existing Messages XR Enterprise username and password once starts the process, followed by creating a new password and setting up a verification method.
- What happens to the old username after the first connected sign-in? It stops working. Future sign-ins use the account's email address and new password instead.
- What if the password is forgotten? Selecting Forgot password and entering the username or email on file triggers a reset link by email.
- Can the verification code be skipped on a trusted device? Yes. Selecting Trust this computer skips the code on that device for a number of days.
Single sign-on is here!
A Connected SSO experience is rolling out to Messages XR Enterprise districts!
This upgrade includes:
- enhanced security with multi-factor authentication
- support for popular identity providers (IdPs) like Google or Facebook
- a single, modern login experience across Finalsite products
Wondering which login experience you currently have?
This login screen indicates an upgrade to the connected SSO experience:
This article covers the connected SSO experience.
Districts not yet moved to the connected SSO experience will still see this legacy login screen:
Login help for the legacy login experience is available in "Authentication in Messages XR Enterprise: The legacy login experience."
New accounts: Claim access from a welcome email
Staff accounts receive a welcome email by default when created. For parent and student accounts to receive a welcome email, the district can enable welcome emails for all account types. A welcome email is the only way for a new account to gain initial access.
- Step 1: Select the button in the welcome email to open the login form.
- Step 2: Confirm the email address shown, matching the address the welcome email was sent to, or choose a different email to link the account to instead.
- Step 3: Choose a verification method: email, or an authenticator app. Any authenticator app works, including a password manager's built-in authenticator or an app like Google Authenticator.
- Step 4: Complete verification. For email, request a code, retrieve it from the inbox, and enter it. For an authenticator app, scan the QR code shown and enter the generated code.
- Step 5: Save the recovery codes shown after verification. These restore access later if a password is forgotten and a verification code cannot be received.
- Step 6: Create a password for the new account.
Sign-in completes automatically after these steps. Signing out and back in prompts for the verification code set up in Step 4.
Existing accounts: Link to the Connected SSO experience
Accounts created before the connected SSO experience continue working with the existing username and password for one final sign-in. The next sign-in attempt after a district's migration lands on the new login page instead of the previous one.
- Step 1: Enter the existing Messages XR Enterprise username and password.
- Step 2: Create a new password. This links the existing profile to a single account used across Finalsite products going forward.
- Step 3: Confirm the email address on file, or choose a different one. Unlike the welcome-email flow, ownership of this email is not yet confirmed at this point, so a verification email is sent; selecting the link in that email confirms ownership before continuing.
- Step 4: Choose a verification method and complete verification, the same as new accounts above.
- Step 5: Save the recovery codes.
Old credentials stop working
After this first sign-in, the previous username and password no longer work. Future sign-ins use the account's email address and new password instead of the old username.
Sign in on a day-to-day basis
The login page offers two ways to sign in, depending on what the district has enabled:
- Email and password: entering the registered email address and password signs in directly.
- An identity provider (IdP): selecting a button such as "Sign in with Google" opens a secure window (a modal) for entering credentials with that provider. Once verified, the modal closes automatically and access to the account follows.
Trust a device to skip verification
A Trust this computer checkbox may appear at sign-in. Selecting it skips the verification code on that device for a number of days. Districts can also hide this option entirely to require verification at every sign-in.
- Trusting a device only affects the verification code step.
- It does not change how long a session stays active, as the comparison below shows.
| Feature | What it does | Configurable by the district |
|---|---|---|
| Trust this computer | Skips the verification code on that device for a set number of days. | The option can be hidden entirely either way. |
| 60-minute session timeout | Ends the session automatically after 60 minutes of inactivity, regardless of trusted-device status. | No. |
Failed sign-in attempts
Entering an incorrect password 3 times redirects automatically to the Forgot password page. This is a security measure and prevents guessing at a password repeatedly.
Use a recovery code to regain access
A saved recovery code can stand in for an email or authenticator app code at the verification step, for example when an authenticator device is lost or unavailable. Each recovery code works once.
Reset a forgotten password
The steps differ depending on whether the account has already been linked to the connected SSO experience.
Already using the connected SSO experience: selecting Forgot password and entering the registered email triggers a reset link by email; following that link and setting a new password completes the reset, with no further migration steps needed.
Not yet linked to the connected SSO experience:
- Step 1: Select Forgot password and enter the username or email on file.
- Step 2: Follow the reset link sent by email and set a new password.
- Step 3: Return to the login page and complete the account-linking steps above: confirm the email, set up a verification method, and save the recovery codes.
Staying signed in
A session stays active while an account is in use. After 60 minutes of inactivity, the session ends automatically and a message appears: "Session expired due to inactivity. Please log in again."
On a shared or public computer, such as in a library or a shared staff room, manually selecting logout when finished is important. Doing so immediately ends the session and keeps the next person using that computer from accessing the account.
Quick reference
| Goal | Action |
|---|---|
| Sign in | Enter the registered email and password, or select an identity provider such as Google or Apple. |
| Claim a new account | Select the button in the welcome email and complete the setup steps. |
| Recover a forgotten password | Select Forgot password and follow the emailed reset link. |
| Skip repeated verification codes | Select Trust this computer at sign-in. |
| Protect a shared computer | Select logout manually when finished. |