Introduction
Self-serve SSO lets you set up SSO with minimal technical support from us. It allows Practice Administrators to register their account domains or domain alias/es for SSO so that account users under those domains and domain alias/es can log in with their corporate credentials.
Note
- Only Microsoft and Google Workspace are supported for SSO.
- Self-serve SSO will have no impact on API integrations.
Microsoft
Microsoft Consent Flow
- In the group layer, go to Setup > Single Sign On.
- Select Microsoft.
- Enter the Email. The status will update to “Pending Admin Approval.”
- Next, depending on access level, select either:
- I’m the IT Admin: This will redirect you to the consent flow.
-
Request approval: Copy the Consent Link and contact your IT admin to proceed with the consent flow.
- Once approved, AIQ will give consent automatically and the status will update from “Pending Admin Approval” to “Approved - Verify Login.” Click Verify login.
- Sign in to your account. You may be asked to confirm that you have signed in by clicking on an “I have signed in” popup. Once your login is verified, the domain used in the token will be automatically added and the status will update to “Ready - Not Enabled.”
- Click Configure Domains. Add as many domains or domain alias/es as required and click Save to validate the domains. At least one domain must be added before you can enable SSO.
- If 2FA is enabled on the account, it will be toggled on by default. Disable it if required.
- Click Enable setup to complete the process.
- Click Tick to Confirm and Proceed in the confirmation screen. The status will update to “Enabled”.
Google Workspace
Google Workspace Consent Flow
Google Workspace Consent
The consent flow for Google Workspace works different than Microsoft. As AIQ cannot automatically detect whether the consent was given, the responsibility to confirm that the consent has been given lies with the user.
- In the group layer, go to Setup > Single Sign On.
- Select Google.
- Copy the Client ID and App Name and share them with your IT admin. The status will update to “Pending Admin Approval.” (If you are an IT admin, refer to the IT Admin instructions below.)
- Once approved by your admin, click Confirm to give consent. The status will update from “Pending Admin Approval” to “Approved - Verify Login.”
- Next, you will be redirected to AIQ login to ensure you can log in correctly. You may be asked to confirm that you have signed in by clicking on “I have signed in”. Once your login is verified, the domain used in the token will be automatically added and the status will update to “Ready - Not Enabled.”
- Click Configure Domains. Add as many domains or domain alias/es as required and click Save to validate the domains. At least one domain must be added before you can enable SSO.
- If 2FA is enabled on the account, it will be toggled on by default. Disable it if required.
- Click Enable setup to complete the process.
- Click Tick to Confirm and Proceed in the confirmation screen. The status will update to “Enabled”.
IT Admin: Add an AIQ Verified Application to Google Workspace Admin Console
- Go to Security > Access and Data Control > API Controls.
- Select Manage Third-Party App Access.
- Select Configure new app.
- Paste in the ID provided from the self-serve setup. Ensure that you see AccountsIQ and select it.
- Ensure the selected app is AccountsIQ and is Verified, then click Continue.
6. Select Specific Google Data and click Continue.
7. Confirm selection and click Finish.
Managing SSO
Add/Remove Domains
Once setup is completed, you will still have the option to add or remove domains by selecting Configure Domains, but no other change will be allowed as this could lock users out of the system. If any other change is required (i.e. moving IDP), contact support at support@accountsiq.com
Disable SSO
If practice administrators want users to log in using the legacy flow, they can disable self-serve SSO. The new setup records will not be impacted and can be updated before re-enabling the self-serve SSO.
Note that when the legacy flow is disabled, login data is deleted after 7 days so if it is re-enabled, users will need to reset their passwords.
- In the group layer, go to Setup > Single Sign On.
- Click Disable SSO.
- Click Proceed. An OTP will be sent to your user email.
- Enter the OTP and click Disable SSO.
- Click Proceed and the status will update to “Disabled.”