Microsoft Entra ID

This guide explains how to enable Single Sign-On (SSO) login via Microsoft Entra ID in Open Loyalty.

Prerequisites

Ensure you have access to the following:

An active Open Loyalty instance.
Administrator access to your Microsoft Entra ID tenant.
Basic understanding of OIDC and SSO concepts.

Step-by-Step Configuration

Verify Settings in Open Loyalty

Verify Admin Email Addresses

Ensure that the email address you want to use for SSO login does not already exist in the Open Loyalty portal.

If an email address for the admin already exists in Open Loyalty, the SSO login will not function for that account. To enable SSO for a user, ensure there are no conflicts.

For instance, you could deactivate admin users logging in with email and password, update their email addresses by adding a suffix (e.g., "-old"), and then ask the admin users to log in via SSO.

Configure the Default Role

Log in to the Open Loyalty admin panel.
Go to Settings > Roles.
Choose the role you want to set as a default role. Click on Edit.
Set a Default Role for new users logging in through SSO. This role will be assigned to newly created users and can be changed later if needed.

Configure Microsoft Azure ID

Navigate to https://portal.azure.com and sign in with an administrator account.

Register the Application

In the Azure portal, go to Microsoft Entra ID > App registrations.
Click + New registration.
Fill out the form:
- Name: e.g. Open Loyalty
- Supported account types: Select Accounts in this organizational directory only (Single tenant) (unless multi-tenant access is required).
- (Optional) set up Redirect URI
  - Under Select a platform, Select Single-page application (SPA)
  - Under Redirect URIs, enterhttps://your-production-domain.com/login/callback
Click Register.

Ensure that the redirect URIs match exactly, including the scheme (http or https) and are case-sensitive.

Create a Client Secret

In the application's pane, select Certificates & secrets.
Under Client secrets, click + New client secret.
Add a description (e.g., Open Loyalty Secret) and set an expiry period.
Click Add.
Copy the Value of the client secret and store it securely.

You won't be able to view the client secret value again after leaving this page!

Set API Permissions

Navigate to API permissions.
Click + Add a permission > Microsoft Graph.
Choose Delegated permissions and select:
- email
Click Add permissions.
Click Grant admin consent (if required) and confirm

It is important to set the email permission - otherwise, the integration will not work properly.

Provide the Open Loyalty team with the following details:
- Application (client) ID
- Directory (tenant) ID
- Application ID URI
The Open Loyalty team will enable SSO using the provided details.

Test the Integration

Use the Continue with OIDC button on the login page.
Authenticate with OIDC using a user account.
Verify that the user is successfully logged in and has been assigned the default role.

Notes

Ensure that the Default Role is configured appropriately to avoid granting unintended permissions to new users.
If an email address already exists in Open Loyalty, the SSO login will not work for that account. Ensure there are no conflicts before enabling SSO for a user.
Scopes: Ensure that the scopes openid, profile, and email are included in your application's configuration to retrieve necessary user information.
Authorization Flow: It's recommended to use MSAL.js 2.0 or later, which supports the authorization code flow with PKCE, enhancing security for single-page applications.
Redirect URI Restrictions: Redirect URIs must begin with the scheme https. They are case-sensitive and must match the case of the URL path of your running application.

Troubleshooting

If login fails, double-check the URL and Client ID configuration.
Ensure the callback URL is correctly set in Microsoft Azure ID.
Verify that the Microsoft Azure ID application has been configured to allow the Open Loyalty URL.

Last updated 4 days ago

Was this helpful?

Step-by-Step Configuration

Verify Settings in Open Loyalty

Verify Admin Email Addresses

Ensure that the email address you want to use for SSO login does not already exist in the Open Loyalty portal.

If an email address for the admin already exists in Open Loyalty, the SSO login will not function for that account. To enable SSO for a user, ensure there are no conflicts.

For instance, you could deactivate admin users logging in with email and password, update their email addresses by adding a suffix (e.g., "-old"), and then ask the admin users to log in via SSO.

Configure the Default Role

Log in to the Open Loyalty admin panel.
Go to Settings > Roles.
Choose the role you want to set as a default role. Click on Edit.
Set a Default Role for new users logging in through SSO. This role will be assigned to newly created users and can be changed later if needed.

Configure Microsoft Azure ID

Navigate to https://portal.azure.com and sign in with an administrator account.

Register the Application

In the Azure portal, go to Microsoft Entra ID > App registrations.
Click + New registration.
Fill out the form:
- Name: e.g. Open Loyalty
- Supported account types: Select Accounts in this organizational directory only (Single tenant) (unless multi-tenant access is required).
- (Optional) set up Redirect URI
  - Under Select a platform, Select Single-page application (SPA)
  - Under Redirect URIs, enterhttps://your-production-domain.com/login/callback
Click Register.

Ensure that the redirect URIs match exactly, including the scheme (http or https) and are case-sensitive.

Create a Client Secret

In the application's pane, select Certificates & secrets.
Under Client secrets, click + New client secret.
Add a description (e.g., Open Loyalty Secret) and set an expiry period.
Click Add.
Copy the Value of the client secret and store it securely.

You won't be able to view the client secret value again after leaving this page!

Set API Permissions

Navigate to API permissions.
Click + Add a permission > Microsoft Graph.
Choose Delegated permissions and select:
- email
Click Add permissions.
Click Grant admin consent (if required) and confirm

It is important to set the email permission - otherwise, the integration will not work properly.

Provide the Open Loyalty team with the following details:
- Application (client) ID
- Directory (tenant) ID
- Application ID URI
The Open Loyalty team will enable SSO using the provided details.

Test the Integration

Use the Continue with OIDC button on the login page.
Authenticate with OIDC using a user account.
Verify that the user is successfully logged in and has been assigned the default role.

Notes

Ensure that the Default Role is configured appropriately to avoid granting unintended permissions to new users.

If an email address already exists in Open Loyalty, the SSO login will not work for that account. Ensure there are no conflicts before enabling SSO for a user.

Scopes: Ensure that the scopes openid, profile, and email are included in your application's configuration to retrieve necessary user information.

Authorization Flow: It's recommended to use MSAL.js 2.0 or later, which supports the authorization code flow with PKCE, enhancing security for single-page applications.

Redirect URI Restrictions: Redirect URIs must begin with the scheme https. They are case-sensitive and must match the case of the URL path of your running application.

Prerequisites

Step-by-Step Configuration

Verify Settings in Open Loyalty

Verify Admin Email Addresses

Configure the Default Role

Configure Microsoft Azure ID

Sign in to the Azure Portal

Register the Application

Create a Client Secret

Set API Permissions

Share Details with Open Loyalty

Share SSO Details with Open Loyalty

Test the Integration

Notes

Troubleshooting

Prerequisites

Step-by-Step Configuration

Verify Settings in Open Loyalty

Verify Admin Email Addresses

Configure the Default Role

Configure Microsoft Azure ID

Sign in to the Azure Portal

Register the Application

Create a Client Secret

Set API Permissions

Share Details with Open Loyalty

Share SSO Details with Open Loyalty

Test the Integration

Notes

Troubleshooting