Login-controlled knowledge base [open beta]

Enable login controls to require customers or partners to log in to access your Front Knowledge Base, giving you more control over who can see your content. Front’s knowledge base supports authentication of your team members and end users through an external identity provider (IdP) using OpenID Connect (OIDC).

You must have Front company admin or Knowledge Base admin permissions to manage site visibility settings. This is advanced material that would best be done by an IT admin.

To set up a login-controlled knowledge base in Front, you must have:

• An OpenID Connect application created within your identity provider (IdP).

• A list of authorized users already set up in your IdP.

• A subdomain or custom domain set up in your Knowledge Base settings. If you're starting with an internal knowledge base (Site visibility: Front users only), set your Site visibility setting to Public to set up a domain before following the steps below.

• Access to your Authorization URL, Token URL, and JWKs URL from your IdP’s discovery document, typically found at: https://<yourIdPDomain>/.well-known/openid-configuration.

Step 1

In your IdP, create a new application for Front.

Step 2

Set up Allowed callback URLs/Sign-in redirect URIs. Set the url to your knowledge base URL, appending /auth/callback to it. After the user authenticates, the authentication server will call back to this URL. 

Examples:

• If your knowledge base subdomain is acme, the value will be https://acme.frontkb.com/auth/callback.

• If your custom domain is help.acme.com, the value will be https://help.acme.com/auth/callback.

Step 3

Set scope and grant type (if applicable):

1. Scope: openid

2. Grant Type: Authorization Code

Step 4

In Front, navigate to the Configuration tab in your knowledge base Settings.

Step 5

In the Site visibility section, select Authorized users only and fill in the following fields:

• Client ID: The unique identifier for the application, provided by your IdP.

• Client secret: A secret known only to the application and the authorization server. The secret must be kept confidential. The value is hidden after it’s set. If you need to rotate the secret, edit the field to rewrite the value.

• Authorization URL: The endpoint that handles authentication of a user. Front sends the end user to this URL to sign in.

• Token URL: The endpoint that issues JSON web tokens, such as id tokens or access tokens. In Authorization Code Flow, Front exchanges the authorization code for an id token.

• JWKs URL (optional): Front uses public keys provided by this JWKs URL to verify ID tokens issued by the authorization server.

  • If the URL is not provided, Front will default to using the client secret for verification.

  • If you get an "invalid algorithm" error, you need to enter the JWKs URL.

Step 6

Click Save. Access restriction is effective immediately if your knowledge base is already live and published.

Note: Setting the site visibility to Authorized users only will restrict access to published content. We recommend testing the configuration on a staging knowledge base before applying it to the live environment to avoid accidental access issues.

When a user is removed from the list of authorized users, their access to the knowledge base will be revoked within 24 hours.

Users can still view the article if the page is already loaded. Once they refresh, they'll be redirected to sign in to access the article.

This feature is available on the latest Growth plan or above.