To enable your company's users to sign on using SSO (single sign-on), you must complete the following steps:

• Step One: Create and configure an application in the Microsoft Entra tenant from the Azure portal. This will whitelist the AIQ URL for your region to return the user safely to AIQ. You will then have the following details:
  • IDP connection: Access this in Azure, by going to App registrations and then Endpoints. Copy the “OpenID Connect metadata document.”
  • App credentials: Record the Client ID, Client secret, and Client Secret Expiry Date during app creation.
  • Domain name: This is the email domain of the AD server.
• Step Two: Send the details above to integration@accountsiq.com so that we can complete the SSO setup process. When we are done, we will notify you via email.
• Step Three: Now your company can use SSO. When logging in for the first time, users will need to link to the appropriate MS account.

For detailed information on each step, see the relevant section below.

See:

Setting Up System Users 

Set up an App in IDP

Note, on first login to your IDP, you may be required to request admin consent to allow AIQ to read names and emails from your domain.

1. Sign into the Azure portal.
2. If you have access to multiple tenants, select the Settings icon in the top menu. Then, use the Directories + subscriptions menu to switch to your Microsoft Entra tenant.
3. Under All services in the top-left corner, search for and select App registrations.
4. Select New registration.
5. Enter a Name for the application. For example, “AccountsIQ SSO Microsoft Entra AD.”
6. Select Accounts in any organizational directory (Any Microsoft Entra directory – Multitenant) for this application.
7. For the Redirect URI, select the value of Web, and enter the following URL for your region in all lowercase letters:
   • UK1: https://accountsiquk1.b2clogin.com/
     accountsiquk1.onmicrosoft.com/oauth2/authresp
   • EU1: https://accountsiqeu1.b2clogin.com/
     accountsiqeu1.onmicrosoft.com/oauth2/authresp
   • EU2: https://accountsiqeu2.b2clogin.com/
     accountsiqeu2.onmicrosoft.com/oauth2/authresp
   • US1: https://accountsiqus1.b2clogin.com/
     accountsiqus1.onmicrosoft.com/oauth2/authresp
8. Click Register. Record the Application (client) ID for use in a later step. 
9. Select Certificates & secrets, and then select New client secret.
10. Enter a Description for the secret. Select an expiration (Preferably the longest possible - Record the expiry date to report back to AIQ - 2 year minimum), and then click Add. Record the Value of the secret and its expiry date for use in a later step.
    

Configuring Claims

1. Sign in to the Azure portal.
2. Search for and select Microsoft Entra ID.
3. From the Manage section, select App registrations.
4. From the list, select the application you want to configure optional claims for.
5. From the Manage section, select Token configuration.
6. Select Add optional claim.
7. For the Token type, select ID.
8. Select the optional claims to add email, family_name, and given_name.
9. Select Add. If “Turn on the Microsoft Graph email permission” (required for claims to appear in token) appears, enable it, and then select Add again.

Next Step

Now that you have completed the setup and configuration process, you need to pass the following details on to us at integration@accountsiq.com 

• IDP connection: Access this in Azure, by going to App registrations and then Endpoints. Copy the “OpenID Connect metadata document.”
• App credentials: Record the Client ID, Client secret, and Client Secret Expiry Date during app creation.
• Domain name: This is the email domain of the AD server.

When we have finished the SSO setup process, we will contact you by email.

Note, if your IDP policy is about to expire, you will receive a reminder to renew it and send it back to us. Once you do, we will update your records. Admin users will receive multiple reminders to make the update from three months before until the day before the IDP policy expires. After that you will lose access to the system as your IDP won't allow the connection between our platforms.

Note, if your IDP has MFA enabled, we suggest you disable it in AccountsIQ to avoid having two sets of MFAs when you log in.

Once you have completed the steps outlines above, your users can sign in using SSO.

1. Click Log in with Microsoft.
   
2.  Enter your email and click Log In. This email must match what is registered in you AIQ account.
   
3. Next, enter details for your IDP. This must match the email that was entered in the login screen. The login will fail if a different email is entered.
   
4. Enter your password.
    
    
5.  Based on the access to accounts, you will either be automatically logged in or asked to provide an Account ID as follows:
   1. You have one Partner assigned to your user: You will be automatically logged into the Partner regardless of the number of Providers you have assigned.
   2. You have one Provider assigned to your user: You will be automatically logged into that Provider.
   3. You have multiple Providers assigned to your user: You will be required to enter a Partner ID in the screen below.
   4. You have multiple Partners assigned to your user: You will be required to enter a Provider ID in the screen below.
   5. You have one or multiple Entities assigned to your user: You will be required to enter an Account ID in the screen below.
      
6. Click Continue.