Single Sign-On with OpenID Connect

Platforms
Location
Setup
SSO Activation Flow
Client Secret Expiration Reminder
Configuring SSO with Microsoft Entra ID (Azure)
Disabling SSO
Q & A

Please Note: The Syncro Mobile App is compatible with Single Sign-On.

Platforms

We are implementing the Open Identification Connect (OIDC) standard, which is one of two Single Sign-On (SSO) standards commonly used in the industry.

We have tested and vetted 3 popular idP (Identity Provider) services:

  • Okta
  • Google Auth
  • Entra (Microsoft)

Please note that the OIDC standard is widely adopted and used by many Identity Providers and our SSO implementation will work with more idP’s than what is listed above.

Location

To access Single Sign On, head to the Admin Tab > Login Settings



This setting is account-wide. When activated, SSO will be enforced across all active User accounts on the subdomain.

Important Note: User Email Addresses are used to match with the idP. This means that for someone to authenticate correctly, their Email in Syncro or RS must match on their idP side.

Important Note: Syncro MFA will remain active with SSO enabled. This means that Users will be prompted for an MFA code when starting a new session (or based on session re-auth) to access Syncro.

Setup

The User supplies three pieces of data:

  • Client ID
  • Client Secret
  • Discovery Document

We generate two URLs that need to be copied and added to the idP (Okta, Google, MS).

SSO Activation Flow

The Enable Toggle will be “disabled” until the Client ID, Secret, and Document have been Saved & Verified.

Entering the Client ID, Secret and Discovery document into their fields will change the Save button in the lower right to a “Save & Verify SSO Connection” button.

Once “Save & Verify SSO” is pressed and the ID, Secret, and Discovery are verified, the “Enable SSO” option will become active.

You can now toggle ON the SSO feature when you are ready, then hit the Save button on the page one more time.

Once SSO is activated, all accounts will be authenticated through your idP. The login page will look a little different now with a Sign in button.

Remember that this is account wide, and takes immediate effect.

If at any time the SSO settings are updated, we will send an email out notifying Users that the SSO settings have been updated as a Security measure.

SSO Client Secret Expiration Reminder

We have added an optional field called Client Secret Expiration Date to the SSO configuration page. This is useful in case your OIDC provider expires your client secret after a set amount of time.



Choosing a date here will prompt Syncro to email you at 6 AM PT 30, 14, and 7 days before the date of expiration (3 emails total), reminding you that your client secret is expiring soon and it should be refreshed. Here’s an example of one such email:

Configuring SSO with Microsoft Entra ID (Azure)

Launch your Azure Instance and locate Entra ID (a Pyramid logo).

Next in the Left Nav look in the Manage section, locate “App Registrations” and click in.

Next click “New Registration

Next, give the App a friendly name to identify it by. Often people call it “Syncro” or “SyncroMSP” but it can be whatever you’d prefer.

Next, in the Redirect URI section, choose “Web” in the Platform drop down, and you will want to copy the Redirect URI from the SSO config page within Syncro and paste it into this page. Then hit Save.

Redirect URI field in Syncro

Congrats, you have the App created in Entra! Next, you will be brought the App’s Detail page where several strings are shown. You will want to copy the “Application (client) ID” in Entra and paste it into the Syncro SSO “Client ID” field.

Syncro Client ID Field

Now, a Secret needs to be generated. In the Entra left nav, click “Certificates & secrets” and then “New client secret”.

A side panel will pop out where you can give the Secret a friendly name that can be used to manage it as needed. We have seen people name it “Syncro” or “SyncroMSP”, but it can be any name of your choosing. In the same pop out, you can also choose a expiration for the secret key.

A set of Secret keys will be generated. Take the “Value” string and copy that into the Syncro SSO “Client Secret” field.

  • Note: If you copy the “Secret ID” field here and paste that into Syncro, you will get an authorization error.

Client Secret Field in Syncro

One last step to go!

Next we need to get the OpenID Connect Discovery URL. In the Entra left nav, click the Overview option in the upper left. Then, click the Endpoints option in the upper nav.

image

A slide-out will appear and display a group of fields. You are looking for:

OpenID Connect metadata document

Copy the entire URL string, then head over to Syncro and paste it into the “OpenID Connect Discovery (Discovery Document)” field.

  • Don’t worry about cleaning up the URL. We will parse out the URL string for you.

You should be all set to hit the Save & Verify SSO button in Syncro. Everything should check out, and you can toggle the SSO feature on and hit Save.

Disabling SSO

When a User wants to disable SSO, they can do so by heading to the Login Settings and clicking the toggle for SSO.

When SSO is disabled, we will reset the passwords of all User accounts and end existing sessions. We will send a Password reset email to all active User accounts to reset their passwords.

image

If, for some reason, the User does not get the email when they attempt to login the next time without resetting their password, they will be presented with a screen to complete the password reset.

image


Q & A

Azure SSO Config Doc: OpenID Connect (OIDC) on the Microsoft identity platform

Error: “SSO configuration contains errors. Please check and verify again.”

This error refers to the Client Secret not being correct. This can happen when copy/paste includes junk data from the clipboard. We recommend going back to the idP and trying to copy/paste once again.

Error: “OpenID Connect Discovery: is invalid”

This means that the URL for the OpenID Connect Discovery field is not correct.

Error: “Access Blocked: This app’s request is invalid”

This error typically means the callback URL that is supposed to be placed in the idP settings is missing or incorrect. We recommend copying the Redirect URL from the SSO Settings page in Syncro and replacing it in the idP Settings.

2 Likes