An Administrator can control user authentication settings.

SSO Authentication

Single Sign On (SSO) is a way for corporate users to leverage their corporate user directory as an identity provider to the Appivo platform. An Administrator can select from the following options to enable SSO:

  1. Microsoft Azure
  2. Google G-Suite
  3. OpenID Connect
SSO Authentication

✰Note: Only one is selected at a time, and each has a specific configuration requirement. Follow the steps to configure the SSO of your choice.

Microsoft Azure

If your company uses Microsoft Azure AD as your identity management system you can use that as your identity provider. Here is how to set this up.

  1. Login to the Microsoft Azure portal.
  2. Go to Azure Active Directory
  3. Click on “App Registrations”
  4. Create a new registration by clicking on “New registration”.
  5. Give the registration a meaningful name, like “Appivo”.
  6. For Account Type – select “Accounts in this organization directory only”
  7. For Redirect URI, select Web and enter a URL on the following format: https://apps.appivo.com/auth/<tenant-id>/callback. You can find your callback URL at the top of the SSO configuration page in Appivo.

Azure AD – Register Application

The next step is to add API permissions to your app-registration, click on “API permissions”

You need to add the following permissions:

openid offline_access User.Read User.ReadBasic.All GroupMember.Read.All

You need to add them one by one by clicking on the link labeled “+ Add permission”, which will open up a dialog where you can search for the permission – first select “Microsoft Graph”, then select “Delegated permissions” then find the privileges and add them. Once you have added them all click on the link labeled “Grant admin consent to <name of your app>”.

Now you that you have registered your application you will need to create a secret for authentication.

  1. If you are not still on the page of your application registration, navigate there.
  2. Click on “Certificates & Secrets”
  3. Click on “New client secret”
  4. Give the secret a description and set an expiration time that you are comfortable with.
  5. Once the secret has been created, copy it’s value and paste it into the “Client secret”-field in the Appivo UI.
Microsoft Azure

Description of fields: Click > Edit Details 

Fields
Description
Client ID
Enter the ID of the application registration you created in the Azure AD portal.
Client Secret
Enter the value of the client secret you generated in the Azure AD portal.
Tenant ID
Enter the tenant ID. The tenant ID is a globally unique identifier (GUID). You fill find this on the application registration overview page, listed as “Directory (tenant) ID”.
Scope
Enter the scope. The enabled scopes are separated by spaces. It is recommended that you at least provide the following scopes:

openid offline_access User.Read User.ReadBasic.All GroupMember.Read.All

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION 

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

When using SSO it is also very useful to make use of group mappings. With group mappings you can automatically provision applications and roles to users who sign in.

Google

If your company uses Google Workspace you can use that as your identity provider. Here’s how to configure it:

Google Authentication

Description of fields.

Fields
Description
Client ID
Enter the Client ID. The ID uniquely identifies your subscription to use Google services.
Client Secret
Enter client secret. The client secret should only be known to your application and the authorization server.
Scope
Enter the scope. The enabled scopes are separated by comma.

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

OpenID Connect

Appivo also supports using any OpenID Connect compliant identity provider.

Open ID Connect

Description of fields

Fields
Description
Client ID
Enter the Client ID. The ID uniquely identifies your subscription to use connect services.
Client Secret
Enter client secret. The client secret should only be known to your application and the authorization server.
Token endpoint URL
Enter the token URL. The token endpoint is used by a client to obtain:
– ID token
– Access token
– Refresh token
Authorization endpoint URL
Enter the authorization URL. The client uses it to identify a user or obtain an authorization code.
User info endpoint URL
Enter the key. The claims are typically packaged in a JSON object where the sub member denotes the end-user identifier.
Scope
Enter the scope. The enabled scopes are separated by comma.

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

Two Factor Authentication

Administrators may choose to enable Two Factor Authentication (also known as Multi Factor Authentication) to require a One Time Password (OTP) for all users. An Administrator may require all users to use it by setting an enforcement date to give users a window to comply on their own, or allow users to optionally configure it.

Two Factor Authentication

✰Note: Users will need to use an app like Google Authenticator or Authy to generate their OTPs.

IP Restrictions

An administrator may enable a IP-address restrictions. This will only allow users to access appivo applications from one or more IP-address ranges. This is useful if you, for instance, want to ensure that applications can only be accessed from your corporate network. An administrator can select one or more ranges of allowed IP addresses. Both IPv4 and IPv6 address ranges are supported.

IP Restrictions