An Administrator can control user authentication settings.

SSO Authentication

Single Sign On (SSO) is a way for corporate users to leverage their corporate user directory as an identity provider to the Appivo platform. An Administrator can select from the following options to enable SSO:

  1. Microsoft Azure
  2. Google G-Suite
  3. OpenID Connect
SSO Authentication

✰Note: Only one is selected at a time, and each has a specific configuration requirement. Follow the steps to configure the SSO of your choice.

Microsoft Azure

If your company uses Microsoft Azure AD as your identity management system you can use that as your identity provider. Here is how to set this up.

  1. Login to the Microsoft Azure portal.
  2. Go to Azure Active Directory
  3. Click on “App Registrations”
  4. Create a new registration by clicking on “New registration”.
  5. Give the registration a meaningful name, like “Appivo”.
  6. For Account Type – select “Accounts in this organization directory only”
  7. For Redirect URI, select Web and enter a URL on the following format: https://apps.appivo.com/auth/<tenant-id>/callback. You can find your tenant ID at the top of the SSO configuration page in Appivo.
Azure AD – Register Application

Now you that you have registered your application you will need to create a secret for authentication.

  1. If you are not still on the page of your application registration, navigate there.
  2. Click on “Certificates & Secrets”
  3. Click on “New client secret”
  4. Give the secret a description and set an expiration time that you are comfortable with.
  5. Once the secret has been created, copy it’s value.
Microsoft Azure

Description of fields: Click > Edit Details 

Fields
Description
Client ID
Enter the ID of the application registration you created in the Azure AD portal.
Client Secret
Enter client secret you generated in the Azure AD portal.
Tenant ID
Enter the tenant ID. The tenant ID is a globally unique identifier (GUID).
Scope
Enter the scope. The enabled scopes are separated by comma.

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION 

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

Google

If your company uses Google Workspace you can use that as your identity provider. Here’s how to configure it:

Google Authentication

Description of fields.

Fields
Description
Client ID
Enter the Client ID. The ID uniquely identifies your subscription to use Google services.
Client Secret
Enter client secret. The client secret should only be known to your application and the authorization server.
Scope
Enter the scope. The enabled scopes are separated by comma.

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

OpenID Connect

Appivo also supports using any OpenID Connect compliant identity provider.

Open ID Connect

Description of fields

Fields
Description
Client ID
Enter the Client ID. The ID uniquely identifies your subscription to use connect services.
Client Secret
Enter client secret. The client secret should only be known to your application and the authorization server.
Token endpoint URL
Enter the token URL. The token endpoint is used by a client to obtain:
– ID token
– Access token
– Refresh token
Authorization endpoint URL
Enter the authorization URL. The client uses it to identify a user or obtain an authorization code.
User info endpoint URL
Enter the key. The claims are typically packaged in a JSON object where the sub member denotes the end-user identifier.
Scope
Enter the scope. The enabled scopes are separated by comma.

Select the checkbox > Use proof key for code exchange and Click > SUBMIT CONFIGURATION

✰Note: A custom login URL is generated on successful configuration submission for your tenant.

Two Factor Authentication

Administrators may choose to enable Two Factor Authentication (also known as Multi Factor Authentication) to require a One Time Password (OTP) for all users. An Administrator may require all users to use it by setting an enforcement date to give users a window to comply on their own, or allow users to optionally configure it.

Two Factor Authentication

✰Note: Users will need to use an app like Google Authenticator to generate their OTPs.

IP Restrictions

An administrator may enable an Internet Protocol (IP) Restriction. This requires users to have a specific IP address in order to log in. An administrator can select one or more ranges of allowed IP addresses. They also have a choice to use traditional IP addresses (IPv4) or the newer IP address format (IPv6).

IP Restrictions