Single Sign-On (SSO) | intigriti Help Center

Intigriti supports Single Sign-On (SSO) through OpenID Connect (OIDC) for any identity provider of your choice. It will allow company members to easily and securely access Intigriti with their Identity Provider (IdP) credentials.

The SSO configuration page can be found in the Intigriti platform here:

Admin -> More -> Single Sign On

Values from the IdP should be pasted here when prompted in the instructions below.

What do I need?

An Identity Provider (IdP) adhering to the OpenID Connect (OIDC) protocol.
OpenID Connect is an identity layer on top of the OAuth 2.0 framework.
Your Identity Provider's discovery documentation.
A company administrator to configure the SSO settings.

Tip 💡

To avoid potential lock-out of a company admin account, we recommend test-driving the SSO integration by having a company member, or another company admin try it out before converting all accounts. This will help ensure a smooth transition without any unintended consequences.

Should you get locked out, get in touch with your CSM.

Permissions Required:

Below you can find the permissions Intigriti will require for each IdP to successfully setup SSO:

For Azure: Microsoft Graph API – User.read (https://learn.microsoft.com/en-us/graph/permissions-reference#userread)
- These permissions should be delegated automatically when following the setup instructions.
For Okta: API Access Management: https://developer.okta.com/docs/concepts/api-access-management/
- Important to note that Okta API Access Management is a paid-for feature of Okta – please check if your plan includes this prior to set up.

Configuring SSO:

Please select your chosen IdP below. Each collapsable section will provide instructions on how to configure SSO.

Azure

Below you will find the steps to setup SSO for the Intigriti platform using Azure. A video showcasing the process can be found below.

Sign in to Azure
Navigate to “Entra ID”
Navigate to “App registrations”
Click “New registration”
Register an application
1. Name “Intigriti SSO”
2. Select “Supported account types” relevant to your company
3. Redirect URL
  1. Select “Web” from dropdown
  2. Copy and paste “Redirect URL” from Intigriti platform SSO page
4. Click “Register”
Navigate to “Certificates & secrets”
Add “New client secret”
1. Give it a description/name and set the expiry time
Copy “Value”
Paste into “Client secret (optional)” in Intigriti platform
Navigate back to “Overview”
Copy “Application (client) ID” value in Azure
Paste into “Client ID” in Intigriti platform
Click on “Endpoints” in Azure App registration overview page
Copy “OpenID Connect metadata document”
Paste into “Identity provider URL” in Intigriti platform
In Intigriti platform, enter an “Identity provider name” e.g. “Azure”.
Click “Save”
Click “Activate”
Navigate to “Company Members”
1. Click the three dots next to company member
2. Enable SSO
3. User will then receive an email with a button to sign in via SSO.
  1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Azure Troubleshooting

Expired Client Secret

If you face the error message "Message contains error: 'invalid_client', error_description: 'AADSTS7000222: The provided client secret keys for app '397be451-3881-404f-8831-725d743beacb' are expired." Follow the below steps to create a new client secret in Azure:

Log in to Azure
Entra ID
App Registrations
All Applications
Intigriti SSO app (The app created previously for SSO with Intigriti)
Certificates and Secrets (left hand menu)
"New client secret"
1. Provide description and expiry time
Paste newly created client secret into "client secret" field in Intigriti SSO configuration page.

💡 Should you need to update the client secret but you cannot access the platform because of it, contact your CSM.

Someone from Intigriti will disable the SSO on the responsible user account so they can access the platform via a local account* and update the client secret. SSO can then be re-enabled on their account.

*When SSO is disabled on an account, the user will receive an email to set up the password for their local account.

Error containing “invalid_request” or “invalid_client” and containing error code “AADSTS7000218” or “AADSTS50146”

This is potentially due to a custom claim interfering with the SSO process. To check, navigate to:

Azure
Entra ID
Enterprise Applications
Intigriti SSO
Single Sign-on
Attributes & Claims
Remove any claims

Approval required when signing in via SSO

Should you run into the issue where you are required to “Request Approval” from an administrator, check the following:

Azure
EntraID
App Registrations
Intigriti SSO
API Permissions
Add a permission
1. Microsoft Graph
2. Delegated permissions
3. User.read

Important: Make sure that “Intigriti SSO” is a separate enterprise application. If it isn’t, follow the setup steps. Following the setup steps, after creating an app registration for “Intigriti SSO”, it will create an “Intigriti SSO” enterprise app.

Okta

Below you will find the steps to setup SSO for the Intigriti platform using Okta. A video showcasing the process can be found below.

Login to Okta management UI
Navigate to Applications -> Applications
Click “Create App Integration”
1. Sign-in method: OIDC
2. Application type: Web Application
Name
Grant type
1. Client acting on behalf of itself: Client Credentials
2. Client acting on behalf of user: Authorization Code
Sign-in redirect URIs
1. Remove placeholder URI
2. Copy Redirect URL from Intigriti platform SSO page
3. Add URI -> Paste
Sign-out redirect URIs
1. Remove placeholder URI
Assignments
1. Controlled access: Allow everyone in your organization to access
  1. Or limit to specific users
2. Enable immediate access: Untick “Enable immediate access with Federation Broker Mode”
Save
Navigate to “Sign on”
OpenID Connect ID Token
1. Edit
2. Issuer: Okta URL
3. Save
Copy “Okta URL”
Paste Okta URL into “Identity provider URL” in Intigriti platform
Navigate to “General”
Copy “Client ID”
Paste into “Client ID” in Intigiriti platform
Copy “Client Secret”
1. If no client secret, generate new secret
Paste into “Client secret (optional)” in Intigriti platform
Provide an “Identity provider name”
Click “Save”
Click “Activate”
Navigate to “Company Members”
1. Click the three dots at the end of a member
2. Enable SSO
3. User will then receive an email with a button to sign in via SSO.
  1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Auth0

Below you will find the steps to set up SSO for the Intigriti platform using Auth0

Create an application using the Auth0 guide.
- Application name: 'Intigriti'
- Application type: ✅ 'Regular Web Applications'
Open the newly created application.
Go to Settings.
Retrieve the following information from the Basic information section:
- Identity provider URL = Domain
- Client ID
- Client Secret

Add the Redirect URL provided on the Intigriti SSO Settings page to the Allowed Callback URLs in the Application URIs section:

Other IdPs

For other IdPs not listed in this article, you will need to acquire the below values within your IdP to set up SSO via OIDC:

Client Secret
Client ID
Redirect URL
Identity Provider URL

These values should be available in your IdP which can then be pasted into the Intigriti SSO page.

Your IdP's documentation should have more information.

We are happy to continue updating this article; if you have a specific IdP you would like tailored instructions on, please reach out.

Editing SSO Configuration:

You can edit the SSO configuration without needing to deactivate SSO. This is especially useful when updating an expired client secret.

Step-by-step:

Go to Intigriti > Admin > More > Single Sign-On
Click Edit
1. Edit the value as needed e.g. Client Secret
Click Save

Should SSO cease to work after editing, make sure that the vales from you IdP are correct within the Intigriti platform. You can follow through the setup steps for your IdP to make sure.

Also make sure any changes within the IdP are saved prior to editing the configuration in the Intigriti platform.

Activating and Enabling SSO:

Once the SSO configuration page has been filled out with the values from your chosen IdP, the next step is activating SSO and enabling it for your users. To do so, please follow the below steps:

Navigate to Intigriti > Admin > More > Single Sign-On
Click Activate
Navigate to Company Members
Click the three dots at the end of a member
Enable SSO
User who have had SSO enabled will then receive an email with a button to sign in via SSO.
1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Deactivating SSO:

Please beware that upon deactivation of SSO:

The authentication method of all company members is set back to password.
All active converted company members will receive an email request to setup a new password and use this to login from now on.
Company members are no longer redirected to your identity provider and can only access Intigriti with their local account credentials.

Step-by-step:

Go to Intigriti > Admin > More > Single Sign-On.

Click Deactivate.

To disable SSO on a specific user, navigate to:

Company Members -> Select the 3 dots next to a user -> Disable SSO.

Note that your SSO configuration will remain available, allowing you to easily enable it again in the future if desired.