Guide
...
Setup
Tech setup

Set up SSO (Azure)

2min

Who can do this:

  • Anyone with editing permissions for Structure and Login/Signup SSO

Below are the steps for your IT administrator to configure Azure AD/Entra ID, to facilitate:

  • Single-Sign On via SAML 2, so users can log into the app with their company email
  • User synchronization, via Microsoft Graph API, so Refresh accounts are automatically disabled when employees are terminated

Before you begin:

Start a notes file or another document to paste information to share with us. If you have any questions, don't hesitate to contact the Refresh team.

1

Register your app

  1. Go to https://portal.azure.com/.
  2. Click Microsoft Entra ID.
  3. In the left column, click App registrations.
  4. At the top, select New registration.
  5. In the Name field, enter Refresh.
  6. Select the following:
    • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g., Skype, Xbox)
  7. Click Register.
2

Obtain key info

  1. Under Essentials, copy the following IDs into your notes:
    • Application (client) ID
    • Directory (tenant) ID
  2. At the top, select Endpoints.
  3. Copy the following into your notes:
    • SAML-P sign-on endpoint
    • SAML-P sign-out endpoint
  4. Close the Endpoints panel.
3

Configure web platform

  1. In the left column, select Authentication.
  2. Under Platform configurations, click Add a platform.
  3. Select Web.
  4. In Redirect URIs, enter:
    • https://[OrganizationName].app.refreshplatform.com/saml
  5. For Front-channel logout, enter:
    • https://[OrganizationName].app.refreshplatform.com/logout
  6. Click Configure. You’ll now have a web configuration under Platform configurations.
  7. Use Add URI in the Web box to add two more Redirect URIs. These allow for sandbox testing:
    • https://[OrganizationName].app-staging.refreshplatform.com/saml
4

Enable access tokens

  1. Under Implicit grant and hybrid flows, select Access tokens (used for implicit flows).
  2. At the bottom, click Save.
5

Upload certificate

You should have received the certificate from us via email, which you can save to your computer.

  1. In the left column, select Certificates & secrets.
  2. Select the Certificates tab, if not already selected.
  3. Click Upload certificate.
  4. Select the certificate from your files.
  5. Click Add.
6

Create new client secret

  1. Click New client secret.
    • In the Description field, enter Refresh Platform.
    • In the Expires dropdown, select 730 Days (24 months).
  2. Copy the following into your notes:
    • Client secret value (from the newly created secret)
7

Configure token info

  1. In the left column, click Token configuration.
  2. Click Add optional claim.
  3. For Token type, choose ID.
  4. Select the following claims:
    • Acct
    • Email
    • Family_name
    • Given_name
    • Preferred_username
  5. Click Add.
8

Add groups claim

  1. Click Add groups claim.
  2. Select the following:
    • Security groups
    • Directory roles
    • All groups (includes distribution lists but not groups assigned to the application)
    • Groups assigned to the application
  3. Click Add.
9

Add permissions

  1. In the left column, select API permissions.
  2. Click Add permission.
  3. Select Microsoft graph, and then Application permissions.
  4. Select these permissions in the following categories:
    • a. User
      • i. User.Read.All
  5. Click Add permissions.
10

Share notes

Once you've completed the steps above, please email your notes file to [email protected].



Updated 29 Oct 2024
Doc contributor
Did this page help you?
PREVIOUS
Tech setup
NEXT
Explore the dashboard
Docs powered by Archbee