Introduction
To set up Single Sign-On (SSO) for your company's users, follow the two steps indicated below.
Do not email support with your below details. Details must be included in the Registration Form instead (step 2), and our team will reach out to you via email.
-
Step One: Create and configure an application in the Microsoft Entra tenant from the Azure portal. This will whitelist the AIQ URL for your region to return the user safely to AIQ. You will then have the following details:
- IDP connection: In Azure go to App registrations and then Endpoints. Copy the “OpenID Connect metadata document.”
- App credentials: Record the Client ID, Secret Value, and Client Secret Expiry Date during app creation.
- Domain name: This is your email domain from the Active Directory server.
- Step Two: Complete this registration form. This will create a support ticket, and our team will reach out via email to help finalize the setup.
Once these steps are completed, your company can use SSO. When users log in for the first time, they'll need to link to their Microsoft account.
For detailed information on each step, see the relevant section below.
See:
Setting up and Configuring an App in IDP
Set up an App in IDP
Note, on first login to your IDP, you may be required to request admin consent to allow AIQ to read names and emails from your domain.
- Sign into the Azure portal.
- If you have access to multiple tenants, select the Settings icon in the top menu. Then, use the Directories + subscriptions menu to switch to your Microsoft Entra tenant.
- Under All services in the top-left corner, search for and select App registrations.
- Select New registration.
- Enter a descriptive name for the application. For example, “AccountsIQ SSO Microsoft Entra AD.”
- Select Accounts in this organizational directory only (Your Tenant only - Single tenant) for this application.
- For the Redirect URI, select the value of Web, and enter the following URL for your region in all lowercase letters:
-
UK1: https://accountsiquk1.b2clogin.com/
accountsiquk1.onmicrosoft.com/oauth2/authresp -
EU1: https://accountsiqeu1.b2clogin.com/
accountsiqeu1.onmicrosoft.com/oauth2/authresp -
EU2: https://accountsiqeu2.b2clogin.com/
accountsiqeu2.onmicrosoft.com/oauth2/authresp -
US1: https://accountsiqus1.b2clogin.com/
accountsiqus1.onmicrosoft.com/oauth2/authresp
-
UK1: https://accountsiquk1.b2clogin.com/
- Click Register. Record the Application (client) ID for use in a later step.
- Select Certificates & secrets, and then select New client secret.
- Enter a Description for the secret. Select an expiration (Preferably the longest possible - Record the expiry date to report back to AIQ - 2 year minimum), and then click Add. Record the Value of the secret and its expiry date for use in a later step.
Configuring Claims
- Sign in to the Azure portal.
- Search for and select Microsoft Entra ID.
- From the Manage section, select App registrations.
- From the list, select the application you want to configure optional claims for.
- From the Manage section, select Token configuration.
- Select Add optional claim.
- For the Token type, select ID.
- Select the optional claims to add email, family_name, and given_name.
- Select Add. If “Turn on the Microsoft Graph email permission” (required for claims to appear in token) appears, enable it, and then select Add again.
Next Step
Now that you have completed the setup and configuration process you need to complete this registration form. This will create a support ticket, and our team will reach out via email to help finalize the setup.
- IDP connection: Access this in Azure, by going to App registrations and then Endpoints. Copy the “OpenID Connect metadata document.”
- App credentials: Record the Client ID, Client secret, and Client Secret Expiry Date during app creation.
- Domain name: This is the email domain of the AD server.
When we have finished the SSO setup process, we will contact you by email.
Note, if your IDP policy is about to expire, you will receive a reminder to renew it and send it back to us. Once you do, we will update your records. Admin users will receive multiple reminders to make the update from three months before until the day before the IDP policy expires. After that you will lose access to the system as your IDP won't allow the connection between our platforms.
Note, if your IDP has MFA enabled, we suggest you disable it in AccountsIQ to avoid having two sets of MFAs when you log in.
Logging in using SSO
Once you have completed the steps outlines above, your users can sign in using SSO.
- Click Log in with Microsoft.
- Enter your email and click Log In. This email must match what is registered in you AIQ account.
-
Next, enter details for your IDP. This must match the email that was entered in the login screen. The login will fail if a different email is entered.
- Enter your password.
- Based on the access to accounts, you will either be automatically logged in or asked to provide an Account ID as follows:
- You have one Partner assigned to your user: You will be automatically logged into the Partner regardless of the number of Providers you have assigned.
- You have one Provider assigned to your user: You will be automatically logged into that Provider.
- You have multiple Providers assigned to your user: You will be required to enter a Partner ID in the screen below.
- You have multiple Partners assigned to your user: You will be required to enter a Provider ID in the screen below.
-
You have one or multiple Entities assigned to your user: You will be required to enter an Account ID in the screen below.
- Click Continue.