search
HomepageCase studiesBook a demo

Microsoft Entra ID

This guide explains how to enable Single Sign-On (SSO) login via Microsoft Entra ID in Open Loyalty.

hashtag
Prerequisites

Ensure you have access to the following:

  • An active Open Loyalty instance.

  • Administrator access to your Microsoft Entra ID tenant.

  • Basic understanding of OIDC and SSO concepts.

hashtag
Step-by-Step Configuration

hashtag
Verify Settings in Open Loyalty

1

hashtag
Verify Admin Email Addresses

Ensure that the email address you want to use for SSO login does not already exist in the Open Loyalty portal.

triangle-exclamation

If an email address for the admin already exists in Open Loyalty, the SSO login will not function for that account. To enable SSO for a user, ensure there are no conflicts.

For instance, you could deactivate admin users logging in with email and password, update their email addresses by adding a suffix (e.g., "-old"), and then ask the admin users to log in via SSO.

2

hashtag
Configure the Default Role

  1. Log in to the Open Loyalty admin panel.

  2. Go to Settings > Roles.

  3. Choose the role you want to set as a default role. Click on Edit.

  4. Set a Default Role for new users logging in through SSO. This role will be assigned to newly created users and can be changed later if needed.

hashtag
Configure Microsoft Azure ID

1

hashtag
Sign in to the Azure Portal

Navigate to https://portal.azure.com and sign in with an administrator account.

2

hashtag
Register the Application

  • In the Azure portal, go to Microsoft Entra ID > App registrations.

  • Click + New registration.

  • Fill out the form:

    • Name: e.g. Open Loyalty

    • Supported account types: Select Accounts in this organizational directory only (Single tenant) (unless multi-tenant access is required).

    • (Optional) set up Redirect URI

      • Under Select a platform, Select Single-page application (SPA)

      • Under URI, enter your Open Loyalty's platform URL

  • Click Register.​

circle-exclamation

Ensure that the redirect URIs match exactly, including the scheme (http or https) and are case-sensitive.

hashtag
Share Details with Open Loyalty

1

hashtag
Share SSO Details with Open Loyalty

  • Provide the Open Loyalty team with the following details:

    • Application (client) ID

    • Directory (tenant) ID

  • The Open Loyalty team will enable SSO using the provided details.

2

hashtag
Test the Integration

  1. Use the Continue with OIDC button on the login page.

  2. Authenticate with OIDC using a user account.

  3. Verify that the user is successfully logged in and has been assigned the default role.

hashtag
Notes

  • Ensure that the Default Role is configured appropriately to avoid granting unintended permissions to new users.

  • If an email address already exists in Open Loyalty, the SSO login will not work for that account. Ensure there are no conflicts before enabling SSO for a user.

  • Authorization Flow: It's recommended to use MSAL.js 2.0 or later, which supports the authorization code flow with PKCE, enhancing security for single-page applications.

  • Redirect URI Restrictions: Redirect URIs must begin with the scheme https. They are case-sensitive and must match the case of the URL path of your running application.

hashtag
Troubleshooting

  • If login fails, double-check the URL and Client ID configuration.

  • Ensure the callback URL is correctly set in Microsoft Azure ID.

  • Verify that the Microsoft Azure ID application has been configured to allow the Open Loyalty URL.

Last updated

Was this helpful?