Single Sign-On (SSO)

This article provides instructions on how to set up SSO using OIDC

Jason Coleman avatar
Written by Jason Coleman
Updated over a week ago

Intigriti supports Single Sign-On (SSO) through OpenID Connect (OIDC) for any identity provider of your choice. It will allow company members to easily and securely access Intigriti with their Identity Provider (IdP) credentials.

The SSO configuration page can be found in the Intigriti platform here:

Admin -> More -> Single Sign On

Values from the IdP should be pasted here when prompted in the instructions below.

What do I need?

  • An Identity Provider (IdP) adhering to the OpenID Connect (OIDC) protocol.
    OpenID Connect is an identity layer on top of the OAuth 2.0 framework.

  • Your Identity Provider's discovery documentation.

  • A company administrator to configure the SSO settings.

Tip 💡

To avoid potential lock-out of a company admin account, we recommend test-driving the SSO integration by having a company member, or another company admin try it out before converting all accounts. This will help ensure a smooth transition without any unintended consequences.

Should you get locked out, get in touch with your CSM.

Permissions Required:

Below you can find the permissions Intigriti will require for each IdP to successfully setup SSO:

Configuring SSO:

Please select your chosen IdP below. Each collapsable section will provide instructions on how to configure SSO.

Azure

Below you will find the steps to setup SSO for the Intigriti platform using Azure. A video showcasing the process can be found below.

  1. Sign in to Azure

  2. Navigate to “Entra ID

  3. Navigate to “App registrations

  4. Click “New registration

  5. Register an application

    1. Name “Intigriti SSO

    2. Select “Supported account types” relevant to your company

    3. Redirect URL

      1. Select “Web” from dropdown

      2. Copy and paste “Redirect URL” from Intigriti platform SSO page

    4. Click “Register

  6. Navigate to “Certificates & secrets

  7. Add “New client secret

    1. Give it a description/name and set the expiry time

  8. Copy “Value

  9. Paste into “Client secret (optional)” in Intigriti platform

  10. Navigate back to “Overview

  11. Copy “Application (client) ID” value in Azure

  12. Paste into “Client ID” in Intigriti platform

  13. Click on “Endpoints” in Azure App registration overview page

  14. Copy “OpenID Connect metadata document

  15. Paste into “Identity provider URL” in Intigriti platform

  16. In Intigriti platform, enter an “Identity provider name” e.g. “Azure”.

  17. Click “Save

  18. Click “Activate

  19. Navigate to “Company Members

    1. Click the three dots next to company member

    2. Enable SSO

    3. User will then receive an email with a button to sign in via SSO.

      1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Azure Troubleshooting

Expired Client Secret

If you face the error message "Message contains error: 'invalid_client', error_description: 'AADSTS7000222: The provided client secret keys for app '397be451-3881-404f-8831-725d743beacb' are expired." Follow the below steps to create a new client secret in Azure:

  1. Log in to Azure

  2. Entra ID

  3. App Registrations

  4. All Applications

  5. Intigriti SSO app (The app created previously for SSO with Intigriti)

  6. Certificates and Secrets (left hand menu)

  7. "New client secret"

    1. Provide description and expiry time

  8. Paste newly created client secret into "client secret" field in Intigriti SSO configuration page.

💡 Should you need to update the client secret but you cannot access the platform because of it, contact your CSM.

Someone from Intigriti will disable the SSO on the responsible user account so they can access the platform via a local account* and update the client secret. SSO can then be re-enabled on their account.

*When SSO is disabled on an account, the user will receive an email to set up the password for their local account.

Error containing “invalid_request” or “invalid_client” and containing error code “AADSTS7000218” or “AADSTS50146”

This is potentially due to a custom claim interfering with the SSO process. To check, navigate to:

  1. Azure

  2. Entra ID

  3. Enterprise Applications

  4. Intigriti SSO

  5. Single Sign-on

  6. Attributes & Claims

  7. Remove any claims

Approval required when signing in via SSO

Should you run into the issue where you are required to “Request Approval” from an administrator, check the following:

  1. Azure

  2. EntraID

  3. App Registrations

  4. Intigriti SSO

  5. API Permissions

  6. Add a permission

    1. Microsoft Graph

    2. Delegated permissions

    3. User.read

Important: Make sure that “Intigriti SSO” is a separate enterprise application. If it isn’t, follow the setup steps. Following the setup steps, after creating an app registration for “Intigriti SSO”, it will create an “Intigriti SSO” enterprise app.

Okta

Below you will find the steps to setup SSO for the Intigriti platform using Okta. A video showcasing the process can be found below.

  1. Login to Okta management UI

  2. Navigate to Applications -> Applications

  3. Click “Create App Integration

    1. Sign-in method: OIDC

    2. Application type: Web Application

  4. Name

  5. Grant type

    1. Client acting on behalf of itself: Client Credentials

    2. Client acting on behalf of user: Authorization Code

  6. Sign-in redirect URIs

    1. Remove placeholder URI

    2. Copy Redirect URL from Intigriti platform SSO page

    3. Add URI -> Paste

  7. Sign-out redirect URIs

    1. Remove placeholder URI

  8. Assignments

    1. Controlled access: Allow everyone in your organization to access

      1. Or limit to specific users

    2. Enable immediate access: Untick “Enable immediate access with Federation Broker Mode”

  9. Save

  10. Navigate to “Sign on

  11. OpenID Connect ID Token

    1. Edit

    2. Issuer: Okta URL

    3. Save

  12. Copy “Okta URL

  13. Paste Okta URL into “Identity provider URL” in Intigriti platform

  14. Navigate to “General

  15. Copy “Client ID

  16. Paste into “Client ID” in Intigiriti platform

  17. Copy “Client Secret

    1. If no client secret, generate new secret

  18. Paste into “Client secret (optional)” in Intigriti platform

  19. Provide an “Identity provider name

  20. Click “Save

  21. Click “Activate

  22. Navigate to “Company Members

    1. Click the three dots at the end of a member

    2. Enable SSO

    3. User will then receive an email with a button to sign in via SSO.

      1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Auth0

Below you will find the steps to set up SSO for the Intigriti platform using Auth0

  • Create an application using the Auth0 guide.

    • Application name: 'Intigriti'

    • Application type: ✅ 'Regular Web Applications'

  • Open the newly created application.

  • Go to Settings.

  • Retrieve the following information from the Basic information section:

    • Identity provider URL = Domain

    • Client ID

    • Client Secret

Add the Redirect URL provided on the Intigriti SSO Settings page to the Allowed Callback URLs in the Application URIs section:

Other IdPs

For other IdPs not listed in this article, you will need to acquire the below values within your IdP to set up SSO via OIDC:

  • Client Secret

  • Client ID

  • Redirect URL

  • Identity Provider URL

These values should be available in your IdP which can then be pasted into the Intigriti SSO page.

Your IdP's documentation should have more information.

We are happy to continue updating this article; if you have a specific IdP you would like tailored instructions on, please reach out.

Editing SSO Configuration:

You can edit the SSO configuration without needing to deactivate SSO. This is especially useful when updating an expired client secret.

Step-by-step:

  1. Go to Intigriti > Admin > More > Single Sign-On

  2. Click Edit

    1. Edit the value as needed e.g. Client Secret

  3. Click Save

Should SSO cease to work after editing, make sure that the vales from you IdP are correct within the Intigriti platform. You can follow through the setup steps for your IdP to make sure.

Also make sure any changes within the IdP are saved prior to editing the configuration in the Intigriti platform.

Activating and Enabling SSO:

Once the SSO configuration page has been filled out with the values from your chosen IdP, the next step is activating SSO and enabling it for your users. To do so, please follow the below steps:

  1. Navigate to Intigriti > Admin > More > Single Sign-On

  2. Click Activate

  3. Navigate to Company Members

  4. Click the three dots at the end of a member

  5. Enable SSO

  6. User who have had SSO enabled will then receive an email with a button to sign in via SSO.

    1. This email only needs to be interacted with once, after that they can just log into the Intigriti platform and be redirected to sign in via SSO.

Deactivating SSO:

Please beware that upon deactivation of SSO:

  • The authentication method of all company members is set back to password.

  • All active converted company members will receive an email request to setup a new password and use this to login from now on.

  • Company members are no longer redirected to your identity provider and can only access Intigriti with their local account credentials.

Step-by-step:

  • Go to Intigriti > Admin > More > Single Sign-On.

  • Click Deactivate.

To disable SSO on a specific user, navigate to:

Company Members -> Select the 3 dots next to a user -> Disable SSO.

Note that your SSO configuration will remain available, allowing you to easily enable it again in the future if desired.

Did this answer your question?