On March 24, Prelude is launching a new method for authenticating accounts.
Existing Web Users using Token Auth (Keychain Auth)
Existing account/token user authentication will be deprecated and replaced with username/password. Users will receive an email with their username and a temporary password. Upon logging in with their temporary password, users will be required to change their password.
Existing Web Users using OIDC Auth
As part of this change to Prelude’s authentication, accounts using custom OIDC will need to update their OAuth 2.0 Client IDs’ “Authorized Redirect URIs”. This will need to be done by your Identity Provider Admin. This will allow Prelude’s new authentication URI to initiate a login flow with your Identity Provider.
Failure to add the new Authorized Redirect URI will result in your Identity provider generating a “redirect_uri_mismatch” error when you try to login. If you end up in this state, adding the new “Authorized Redirect URIs” to the OAuth 2.0 Client configured in your Identity Provider will remedy the issue.
During the upgrade, existing web sessions should not be affected. However, if an OIDC authenticating user is logged out unexpectedly during the upgrade process, the user can select Login with SSO and supply their organizational slug (account number by default), and proceed with a normal login. If you experience any issues with login, please contact support.
Current Settings
Your current settings should look similar to:
| EU1 | US1 | |
|
Authorized Javascript Origins |
https://api.eu1.preludesecurity.com |
https://api.us1.preludesecurity.com |
|
Authorized redirect URIs |
https://api.eu1.preludesecurity.com https://api.eu1.preludesecurity.com/iam/account/login |
https://api.us1.preludesecurity.com https://api.us1.preludesecurity.com/iam/account/login |
Transition Settings
During the transition, your settings should look similar to:
| EU1 | US1 | |
|
Authorized Javascript Origins |
https://api.eu1.preludesecurity.com |
https://api.us1.preludesecurity.com |
|
Authorized redirect URIs |
https://api.eu1.preludesecurity.com https://api.eu1.preludesecurity.com/iam/account/login https://platform-auth.eu1.preludesecurity.com/oauth2/idpresponse |
https://api.us1.preludesecurity.com https://api.us1.preludesecurity.com/iam/account/login |
Endstate Settings
After the transition, your settings should look similar to:
| EU1 | US1 | |
|
Authorized Javascript Origins |
{empty} |
{empty} |
|
Authorized redirect URIs |
https://platform-auth.eu1.preludesecurity.com/oauth2/idpresponse |
https://platform-auth.us1.preludesecurity.com/oauth2/idpresponse |
Existing CLI users
CLI users must upgrade their CLI prior to this upgrade:
pip install -U prelude-cli
Once the CLI is upgraded, any API interaction will automatically update the user’s keychain file to include the user’s handle. Following the service upgrade on March 24th authentication tokens will no longer be valid, CLI users will need to authenticate with their username/password.
Existing SDK users
The following support doc outlines the updated CLI/SDK usage with examples.