Microsoft Entra ID

This guide explains how to enable Single Sign-On (SSO) login via Microsoft Entra ID in Open Loyalty.

Prerequisites

Ensure you have access to the following:

  • An active Open Loyalty instance.

  • Administrator access to your Microsoft Entra ID tenant.

  • Basic understanding of OIDC and SSO concepts.

Step-by-Step Configuration

Verify Settings in Open Loyalty

1

Verify Admin Email Addresses

Ensure that the email address you want to use for SSO login does not already exist in the Open Loyalty portal.

2

Configure the Default Role

  1. Log in to the Open Loyalty admin panel.

  2. Go to Settings > Roles.

  3. Choose the role you want to set as a default role. Click on Edit.

  4. Set a Default Role for new users logging in through SSO. This role will be assigned to newly created users and can be changed later if needed.

Configure Microsoft Azure ID

1

Sign in to the Azure Portal

Navigate to https://portal.azure.com and sign in with an administrator account.

2

Register the Application

  • In the Azure portal, go to Microsoft Entra ID > App registrations.

  • Click + New registration.

  • Fill out the form:

    • Name: e.g. Open Loyalty

    • Supported account types: Select Accounts in this organizational directory only (Single tenant) (unless multi-tenant access is required).

    • (Optional) set up Redirect URI

      • Under Select a platform, Select Single-page application (SPA)

      • Under URI, enter your Open Loyalty's platform URL

  • Click Register.​

Share Details with Open Loyalty

1

Share SSO Details with Open Loyalty

  • Provide the Open Loyalty team with the following details:

    • Application (client) ID

    • Directory (tenant) ID

  • The Open Loyalty team will enable SSO using the provided details.

2

Test the Integration

  1. Use the Continue with OIDC button on the login page.

  2. Authenticate with OIDC using a user account.

  3. Verify that the user is successfully logged in and has been assigned the default role.

Notes

  • Ensure that the Default Role is configured appropriately to avoid granting unintended permissions to new users.

  • If an email address already exists in Open Loyalty, the SSO login will not work for that account. Ensure there are no conflicts before enabling SSO for a user.

  • Authorization Flow: It's recommended to use MSAL.js 2.0 or later, which supports the authorization code flow with PKCE, enhancing security for single-page applications.

  • Redirect URI Restrictions: Redirect URIs must begin with the scheme https. They are case-sensitive and must match the case of the URL path of your running application.

Troubleshooting

  • If login fails, double-check the URL and Client ID configuration.

  • Ensure the callback URL is correctly set in Microsoft Azure ID.

  • Verify that the Microsoft Azure ID application has been configured to allow the Open Loyalty URL.

Last updated

Was this helpful?