Single Sign-On with OpenID Connect

Knowledge Base Admin and Settings
1

Platforms
Location
Setup
SSO Activation Flow
Client Secret Expiration Reminder
Configuring SSO with Microsoft Entra ID (Azure)
Disabling SSO
Q & A

Please Note: Currently the Mobile App is compatible with Single Sign On.

Platforms

We are implementing the Open Identification Connect (OIDC) standard, which is one of two Single Sign-On (SSO) standards commonly used in the industry.

We have tested and vetted 3 popular idP (Identity Provider) services:

  • Okta
  • Google Auth
  • Entra (Microsoft)

Please note that the OIDC standard is widely adopted and used by many Identity Providers and our SSO implementation will work with more idP’s than what is listed above.

Location

To access Single Sign On, head to the Admin Tab > Login Settings

Screenshot 2023-12-04 at 3.44.11 PM
Screenshot 2023-12-04 at 3.44.11 PM491Ă—632 13 KB


This setting is account-wide. When activated, SSO will be enforced across all active User accounts on the subdomain.

Important Note: User Email Addresses are used to match with the idP. This means that for someone to authenticate correctly, their Email in Syncro or RS must match on their idP side.

Important Note: Syncro MFA will remain active with SSO enabled. This means that Users will be prompted for an MFA code when starting a new session (or based on session re-auth) to access Syncro.

image
image568Ă—571 55.9 KB

Setup

The User supplies three pieces of data:

  • Client ID
  • Client Secret
  • Discovery Document

image
image588Ă—531 59.3 KB

We generate two URLs that need to be copied and added to the idP (Okta, Google, MS).

image
image589Ă—550 59.3 KB

SSO Activation Flow

The Enable Toggle will be “disabled” until the Client ID, Secret, and Document have been Saved & Verified.

image
image579Ă—578 60 KB

Entering the Client ID, Secret and Discovery document into their fields will change the Save button in the lower right to a “Save & Verify SSO Connection” button.

image
image732Ă—536 85.2 KB

Once “Save & Verify SSO” is pressed and the ID, Secret, and Discovery are verified, the “Enable SSO” option will become active.

image
image723Ă—522 80 KB

You can now toggle ON the SSO feature when you are ready, then hit the Save button on the page one more time.

image
image724Ă—518 77.5 KB

Once SSO is activated, all accounts will be authenticated through your idP. The login page will look a little different now with a Sign in button.

image
image761Ă—197 11.3 KB

Remember that this is account wide, and takes immediate effect.

If at any time the SSO settings are updated, we will send an email out notifying Users that the SSO settings have been updated as a Security measure.

image
image768Ă—99 25.2 KB

SSO Client Secret Expiration Reminder

We have added an optional field called Client Secret Expiration Date to the SSO configuration page. This is useful in case your OIDC provider expires your client secret after a set amount of time.


ClientSecretExpiration
ClientSecretExpiration1242Ă—1398 110 KB


Choosing a date here will prompt Syncro to email you at 6 AM PT 30, 14, and 7 days before the date of expiration (3 emails total), reminding you that your client secret is expiring soon and it should be refreshed. Here’s an example of one such email:

ExpirationReminderEmail
ExpirationReminderEmail1372Ă—358 36.4 KB

Configuring SSO with Microsoft Entra ID (Azure)

Launch your Azure Instance and locate Entra ID (a Pyramid logo).

Next in the Left Nav look in the Manage section, locate “App Registrations” and click in.

image
image489Ă—585 36.5 KB

Next click “New Registration”

image
image765Ă—291 66.9 KB

Next, give the App a friendly name to identify it by. Often people call it “Syncro” or “SyncroMSP” but it can be whatever you’d prefer.

Next, in the Redirect URI section, choose “Web” in the Platform drop down, and you will want to copy the Redirect URI from the SSO config page within Syncro and paste it into this page. Then hit Save.

image
image784Ă—332 60.3 KB

Redirect URI field in Syncro

image
image692Ă—647 77.9 KB

Congrats, you have the App created in Entra! Next, you will be brought the App’s Detail page where several strings are shown. You will want to copy the “Application (client) ID” in Entra and paste it into the Syncro SSO “Client ID” field.

image
image786Ă—388 105 KB

Syncro Client ID Field

image
image711Ă—635 78.1 KB

Now, a Secret needs to be generated. In the Entra left nav, click “Certificates & secrets” and then “New client secret”.

image
image737Ă—398 74.3 KB

A side panel will pop out where you can give the Secret a friendly name that can be used to manage it as needed. We have seen people name it “Syncro” or “SyncroMSP”, but it can be any name of your choosing. In the same pop out, you can also choose a expiration for the secret key.

image
image744Ă—423 62.7 KB

A set of Secret keys will be generated. Take the “Value” string and copy that into the Syncro SSO “Client Secret” field.

  • Note: If you copy the “Secret ID” field here and paste that into Syncro, you will get an authorization error.

image
image737Ă—365 66.8 KB

Client Secret Field in Syncro

image
image642Ă—575 65.3 KB

One last step to go!

Next we need to get the OpenID Connect Discovery URL. In the Entra left nav, click the Overview option in the upper left. Then, click the Endpoints option in the upper nav.

image

A slide-out will appear and display a group of fields. You are looking for:

“OpenID Connect metadata document”

Copy the entire URL string, then head over to Syncro and paste it into the “OpenID Connect Discovery (Discovery Document)” field.

  • Don’t worry about cleaning up the URL. We will parse out the URL string for you.

image
image731Ă—546 108 KB

You should be all set to hit the Save & Verify SSO button in Syncro. Everything should check out, and you can toggle the SSO feature on and hit Save.

Disabling SSO

When a User wants to disable SSO, they can do so by heading to the Login Settings and clicking the toggle for SSO.

image
image728Ă—525 77.8 KB

When SSO is disabled, we will reset the passwords of all User accounts and end existing sessions. We will send a Password reset email to all active User accounts to reset their passwords.

image

If, for some reason, the User does not get the email when they attempt to login the next time without resetting their password, they will be presented with a screen to complete the password reset.

image

Q & A

Azure SSO Config Doc: OpenID Connect (OIDC) on the Microsoft identity platform

Error: “SSO configuration contains errors. Please check and verify again.”

This error refers to the Client Secret not being correct. This can happen when copy/paste includes junk data from the clipboard. We recommend going back to the idP and trying to copy/paste once again.

image
image697Ă—703 73.5 KB

Error: “OpenID Connect Discovery: is invalid”

This means that the URL for the OpenID Connect Discovery field is not correct.

image
image662Ă—602 58.5 KB

Error: “Access Blocked: This app’s request is invalid”

This error typically means the callback URL that is supposed to be placed in the idP settings is missing or incorrect. We recommend copying the Redirect URL from the SSO Settings page in Syncro and replacing it in the idP Settings.

image
image714Ă—475 81.2 KB

2 Likes