Skip to main content

Single Sign-On (SSO)

Updated today

Single Sign-On (SSO) lets your company members securely access the Intigriti platform using your Identity Provider (IdP). This simplifies login and improves security by eliminating separate Intigriti passwords and enables centralized authentication. Intigriti supports SSO through the OpenID Connect (OIDC) protocol.

Configure SSO

⚙️Roles: Company Admin

Select your Identity Provider below. Each section provides guidance on how to configure Single Sign-On for that provider.

Azure

Below you will find the steps to setup SSO for the Intigriti platform using Azure. A video showcasing the process can be found below.

Below you can find the permissions Intigriti will require for each IdP to successfully setup SSO:

  1. Sign in to Azure

  2. Navigate to “Entra ID

  3. Navigate to “App registrations

  4. Click “New registration

  5. Register an application

    1. Name “Intigriti SSO

    2. Select “Supported account types” relevant to your company

    3. Redirect URL

      1. Select “Web” from dropdown

      2. Copy and paste “Redirect URL” from Intigriti platform SSO page

    4. Click “Register

  6. Navigate to “Certificates & secrets

  7. Add “New client secret

    1. Give it a description/name and set the expiry time

  8. Copy “Value

  9. Paste into “Client secret (optional)” in Intigriti platform

  10. Navigate back to “Overview

  11. Copy “Application (client) ID” value in Azure

  12. Paste into “Client ID” in Intigriti platform

  13. Click on “Endpoints” in Azure App registration overview page

  14. Copy “OpenID Connect metadata document

  15. Paste into “Identity provider URL” in Intigriti platform

  16. In Intigriti platform, enter an “Identity provider name” e.g. “Azure”.

  17. Click “Save

  18. Click “Activate

  19. Navigate to “Company Members

    1. Click the three dots next to company member

    2. Enable SSO

    3. User will then receive an email with a button to sign in via SSO.

      1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Azure Troubleshooting

Expired Client Secret

If you face the error message "Message contains error: 'invalid_client', error_description: 'AADSTS7000222: The provided client secret keys for app '397be451-3881-404f-8831-725d743beacb' are expired." Follow the below steps to create a new client secret in Azure:

  1. Log in to Azure

  2. Entra ID

  3. App Registrations

  4. All Applications

  5. Intigriti SSO app (The app created previously for SSO with Intigriti)

  6. Certificates and Secrets (left hand menu)

  7. "New client secret"

    1. Provide description and expiry time

  8. Paste newly created client secret into "client secret" field in Intigriti SSO configuration page.

💡 Should you need to update the client secret but you cannot access the platform because of it, contact your CSM.

Someone from Intigriti will disable the SSO on the responsible user account so they can access the platform via a local account* and update the client secret. SSO can then be re-enabled on their account.

*When SSO is disabled on an account, the user will receive an email to set up the password for their local account.

Error containing “invalid_request” or “invalid_client” and containing error code “AADSTS7000218” or “AADSTS50146”

This is potentially due to a custom claim interfering with the SSO process. To check, navigate to:

  1. Azure

  2. Entra ID

  3. Enterprise Applications

  4. Intigriti SSO

  5. Single Sign-on

  6. Attributes & Claims

  7. Remove any claims

Approval required when signing in via SSO

Should you run into the issue where you are required to “Request Approval” from an administrator, check the following:

  1. Azure

  2. EntraID

  3. App Registrations

  4. Intigriti SSO

  5. API Permissions

  6. Add a permission

    1. Microsoft Graph

    2. Delegated permissions

    3. User.read

Important: Make sure that “Intigriti SSO” is a separate enterprise application. If it isn’t, follow the setup steps. Following the setup steps, after creating an app registration for “Intigriti SSO”, it will create an “Intigriti SSO” enterprise app.

Okta

Below you will find the steps to setup SSO for the Intigriti platform using Okta. A video showcasing the process can be found below.

Below you can find the permissions Intigriti will require for each IdP to successfully setup SSO:

  1. Login to Okta management UI

  2. Navigate to Applications -> Applications

  3. Click “Create App Integration

    1. Sign-in method: OIDC

    2. Application type: Web Application

  4. Name

  5. Grant type

    1. Client acting on behalf of itself: Client Credentials

    2. Client acting on behalf of user: Authorization Code

  6. Sign-in redirect URIs

    1. Remove placeholder URI

    2. Copy Redirect URL from Intigriti platform SSO page

    3. Add URI -> Paste

  7. Sign-out redirect URIs

    1. Remove placeholder URI

  8. Assignments

    1. Controlled access: Allow everyone in your organization to access

      1. Or limit to specific users

    2. Enable immediate access: Untick “Enable immediate access with Federation Broker Mode”

  9. Save

  10. Navigate to “Sign on

  11. OpenID Connect ID Token

    1. Edit

    2. Issuer: Okta URL

    3. Save

  12. Copy “Okta URL

  13. Paste Okta URL into “Identity provider URL” in Intigriti platform

  14. Navigate to “General

  15. Copy “Client ID

  16. Paste into “Client ID” in Intigiriti platform

  17. Copy “Client Secret

    1. If no client secret, generate new secret

  18. Paste into “Client secret (optional)” in Intigriti platform

  19. Provide an “Identity provider name

  20. Click “Save

  21. Click “Activate

  22. Navigate to “Company Members

    1. Click the three dots at the end of a member

    2. Enable SSO

    3. User will then receive an email with a button to sign in via SSO.

      1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Auth0

Below you will find the steps to set up SSO for the Intigriti platform using Auth0

  • Create an application using the Auth0 guide.

    • Application name: 'Intigriti'

    • Application type: ✅ 'Regular Web Applications'

  • Open the newly created application.

  • Go to Settings.

  • Retrieve the following information from the Basic information section:

    • Identity provider URL = Domain

    • Client ID

    • Client Secret

Add the Redirect URL provided on the Intigriti SSO Settings page to the Allowed Callback URLs in the Application URIs section:

If your Identity Provider is not listed, refer to your provider’s documentation for guidance on configuring OpenID Connect.

💡Note: If you would like tailored instructions for a specific Identity Provider, please reach out to your Customer Success Manager.

Activate SSO

Once the Single Sign-On configuration page is completed with the values from your chosen Identity Provider, you can activate SSO and enable it for your users.

  1. Navigate to Intigriti > Admin > More > Single Sign-On.

  2. Provide the following information:

    1. Client Secret

    2. Client ID

    3. Redirect URL

    4. Identity Provider URL

  3. Click Activate.

After successfully, activating your SSO integration:

  1. Navigate to Company Members.

  2. Click the three dots at the end of a member.

  3. Enable SSO.

  4. Repeat this step for each user you want to enable SSO for.

💡Note: When Single Sign-On is enabled for a user, an email is sent requesting them to reauthenticate via SSO. This step is required only once.

Edit SSO settings

You can edit the Single Sign-On configuration without deactivating SSO. This is especially useful when updating an expired client secret.

  1. Go to Intigriti > Admin > More > Single Sign-On.

  2. Click Edit.

  3. Update the desired fields.

  4. Click Save.

⚠️Beware: Make sure all changes in the Identity Provider are saved before editing the configuration in Intigriti.

If SSO stops working after editing, verify that the values from your Identity Provider are correct in the Intigriti platform. You can follow the setup steps for your Identity Provider again to confirm the configuration.

Deactive SSO

Single Sign-On can be disabled for individual users from the Company Members page or for the entire organisation by deactivating the SSO integration.

When Single Sign-On is deactivated:

  • The authentication method for all your company members is reverted to password authentication.

  • All active converted company members receive an email requesting them to set up a new password, which they must use to sign in going forward.

  • Company members are no longer redirected to the Identity Provider and can only access the Intigriti platform using local account credentials.

The existing Single Sign-On configuration remains available, allowing you to easily enable it again in the future if needed.

Best practices

  • Test the Single Sign-On integration with a company member or another company admin before enabling it for all users. This helps prevent accidental lockouts and ensures a smooth transition.

  • If a lockout does occur during the transition, contact your Customer Success Manager for assistance.

  • Monitor Identity Provider credentials and update them before they expire to ensure uninterrupted access to the platform.

Related articles

Did this answer your question?