SSO Setup
Configure Single Sign-On with Microsoft Azure, Google, or OpenID Connect
SSO Setup Guide
Single Sign-On (SSO) allows your users to authenticate using their existing corporate credentials. This guide walks you through configuring SSO with supported identity providers.
Overview
SSO enables corporate users to leverage their organization's user directory as an identity provider for Appivo. You can choose from:
| Provider | Best For |
|---|---|
| Microsoft Azure | Organizations using Azure Active Directory |
| Google G-Suite | Organizations using Google Workspace |
| OpenID Connect | Any OpenID Connect compliant identity provider |
Note: Only one SSO provider can be active at a time.
Microsoft Azure SSO
If your organization uses Microsoft Azure AD for identity management, follow these steps to configure SSO.
Step 1: Register an Application in Azure
- Log in to the Microsoft Azure portal
- Navigate to Azure Active Directory
- Click App Registrations
- Click New registration
- Enter a name for the application (e.g., "Appivo")
- For Account Type, select "Accounts in this organization directory only"
- For Redirect URI, select Web and enter:
https://apps.appivo.com/auth/<tenant-id>/callback
Note: You can find your specific callback URL at the top of the SSO configuration page in Appivo.
Step 2: Configure API Permissions
Add the required Microsoft Graph permissions:
- Click API permissions in the left menu
- Click + Add permission
- Select Microsoft Graph
- Select Delegated permissions
- Search for and add each of these permissions:
openidoffline_accessUser.ReadUser.ReadBasic.AllGroupMember.Read.All
- Click Grant admin consent for your organization
Step 3: Create a Client Secret
- Navigate to your app registration
- Click Certificates & Secrets
- Click New client secret
- Enter a description and select an expiration period
- Click Add
- Copy the secret value immediately - it won't be shown again
Step 4: Configure Appivo
Navigate to the SSO configuration page in Appivo and enter:
| Field | Description |
|---|---|
| Client ID | The Application (client) ID from Azure app registration overview |
| Client Secret | The secret value you copied in Step 3 |
| Tenant ID | The Directory (tenant) ID from Azure app registration overview |
| Scope | openid offline_access User.Read User.ReadBasic.All GroupMember.Read.All |
Step 5: Complete Setup
- Enable Use proof key for code exchange (PKCE)
- Click Submit Configuration
Note: A custom login URL will be generated for your tenant upon successful configuration.
Configure Group Mappings (Recommended)
After enabling SSO, configure group mappings to automatically provision applications and roles to users based on their Azure AD groups.
Google SSO
Google Workspace users can sign in to Appivo using their Google credentials.
Prerequisites
Before configuring Google SSO in Appivo, you need to create OAuth 2.0 credentials in the Google Cloud Console:
- Go to the Google Cloud Console
- Create or select a project
- Navigate to APIs & Services > Credentials
- Click Create Credentials > OAuth client ID
- Configure the OAuth consent screen if prompted
- Select Web application as the application type
- Add your Appivo callback URL to Authorized redirect URIs
Configure Appivo
Navigate to the SSO configuration page in Appivo and enter:
| Field | Description |
|---|---|
| Client ID | The OAuth 2.0 Client ID from Google Cloud Console |
| Client Secret | The OAuth 2.0 Client Secret from Google Cloud Console |
| Scope | The scopes to request (comma-separated) |
Complete Setup
- Enable Use proof key for code exchange (PKCE)
- Click Submit Configuration
Note: A custom login URL will be generated for your tenant upon successful configuration.
OpenID Connect SSO
Appivo supports any OpenID Connect compliant identity provider, including:
- Okta
- Auth0
- Keycloak
- Ping Identity
- OneLogin
Gather Provider Information
From your identity provider, collect the following endpoints and credentials:
| Required Information | Description |
|---|---|
| Client ID | Application identifier from your IdP |
| Client Secret | Application secret from your IdP |
| Token Endpoint URL | URL for obtaining tokens |
| Authorization Endpoint URL | URL for user authentication |
| User Info Endpoint URL | URL for retrieving user claims |
Configure Appivo
Navigate to the SSO configuration page and enter:
| Field | Description |
|---|---|
| Client ID | Your application's client identifier |
| Client Secret | Your application's client secret |
| Token endpoint URL | Endpoint for obtaining ID, access, and refresh tokens |
| Authorization endpoint URL | Endpoint for user authentication and authorization codes |
| User info endpoint URL | Endpoint that returns user claims (including the sub identifier) |
| Scope | The scopes to request (comma-separated) |
Complete Setup
- Enable Use proof key for code exchange (PKCE)
- Click Submit Configuration
Note: A custom login URL will be generated for your tenant upon successful configuration.
Testing Your Configuration
After configuring SSO:
- Open your tenant's custom login URL in a private/incognito browser window
- Verify you're redirected to your identity provider
- Sign in with valid credentials
- Confirm you're redirected back to Appivo and logged in
Common Issues
| Issue | Solution |
|---|---|
| Redirect URI mismatch | Verify the callback URL matches exactly in both Appivo and your IdP |
| Invalid client credentials | Double-check the Client ID and Secret |
| Missing permissions | Ensure all required scopes are configured and consented |
| User not provisioned | Check group mappings or enable automatic user provisioning |
Next Steps
- Advanced Authentication - Configure 2FA and IP restrictions
- Security Guide - Role-based access control
- Authentication Guide - User management basics