Single Sign-On

With Single Sign-on (SSO) you can leverage your existing Identity Provider (IdP) to authenticate users. They do not need to create an account manually and can sign into the Combeenation platform in a similar way to other work-related applications.

Single Sign-on is initially available through Microsoft Entra ID using the OpenID Connect (OIDC) protocol. Support for other identity providers will be added over time, based on customer demand.

Configure SSO

Single Sign-on can be configured for a company or distributor.

For a company setup, go to Setting > Single sign-on (SSO)
For distributors, go to Distributors and choose an existing distributor, then open the Single sign-on (SSO) tab.

The remaining configuration steps are identical for companies and distributors.

Tip

You can assign users of your Identity Provider to different distributors (or the company) by setting up multiple SSO configurations.

You can use the same connection settings and choose which users have access by assigning them different roles in each distributor ( None meaning that they don’t have access).

Microsoft Entra ID OIDC

Step 1: Create an App registration

Sign in to the Microsoft Entra admin center

In the navigation menu on the left, expand Entra ID and click App registrations, then click on New registration.

1. Enter a name for your app, such as “Combeenation Platform SSO”

2. Under Supported account types select Accounts in this organizational directory only (My Directory only - Single tenant).

3. For the Redirct URI choose the Web option and copy the URI from your Combeenation platform settings page– you find it at the bottom of the settings:

4. Click Register to create the app.

   

Step 2: Copy the Client ID

Open the Overview page and copy the Application (client) ID.
Paste it into the Client Id field of the Combeenation SSO settings page.

Tip

You must click on Save changes in the Combeenation SSO settings page to apply any changes you make.

You don’t have to do this in each step, but don’t forget it at the end if you don’t!

Step 3: Create a Client Secret

Open the Certificates & secrets page and click on New client secret.
Enter a description for the secret and Add.

Copy the created secret Value and paste it into the Client Secret field of the Combeenation SSO settings.

Step 4: Copy Authority and Metadata endpoints

Back on the Overview page, click on Endpoints.
Copy the Authority URL (Accounts in this organizational directory only) and paste it into the Authority field of the Combeenation SSO settings.
Next copy the OpenID Connect metadata document URL and paste it into the Metadata Endpoint field.

Step 5: Configure Token Claims

Open Token Configuration and click Add optional claim.
Select ID as Token type and then select the following claims:

• email

• family_name

• given_nam

Click Add and then check the Turn on the Microsoft Graph email, profile permission (required for claims to appear in token) option in the pop-up that appears, then confirm again by clicking Add.

Step 6ː Define App roles (optional)

App roles are required to assign different roles to different users. If all your users should have the same role on the Combeenation platform, you can set that role as default and skip this step.

Go to App roles and click on Create app role to define a new role.
In the pop-up that appears enter a Display Name and select Users/Groups for the Allowed member types option.
Next, enter a Value for the role – this value has to be pasted into the Combeenation SSO settings page. It can be the same as the Display name.
Finally, enter a Description for the role and click Apply.

On the Combeenation SSO settings page, choose a Default role for your users. This role will be assigned to users that have not been assigned a (known) App role in Entra.
If you leave this set to None, any users with an unknown App role will not be able to sign in!

Next, click on Add role to create a mapping between an Entra App role and a Combeenation role.
Copy the Value of your App role into the App role field in the dialog that appears and choose a CBN role.

Click on Save changes when you are done.

Step 7: Assign Users and Groups

Back in Entra, click on Enterprise apps in the main navigation menu on the left and then open All applications.
Enter the name of your app in the Search by application name or object ID box and select it in the list below.

On the Enterprise Application page, go to Users and groups and click on Add user/group.
The Add Assignment page will open; click on None Selected under Users and groups and select appropriate users and/or groups.
Choose a role for your users (provided you created App Roles in step 6) and finally click Assign to confirm.

Step 8: Test Single Sign-On

On the Combeenation SSO settings page, click the Test SSO connection button at the top

You will be redirected to Entra and asked to grant permissions to your Entra app to access basic user profile data.
If you are an Entra administrator, you can Consent on behalf of your organization so that your users won’t be asked individually for these permissions.

The results of the connection test will be displayed to the right of the SSO status area. If there was a problem, you will find details about the error there.

Once the connection test succeeds, click on the  Enable SSO toggle to active Single-Sign On.
We strongly recommend to also deactivate password logins at this point; to do so, click on the Deactivate password login toggle.

Tip

If you make any changes to connection-related SSO settings, Single Sign-On will be automatically deactivated until you completed another SSO connection test.

Password login will be activated automatically to ensure you can still access your account in the meantime (you can request a new password on the login screen if necessary).

Disable password login

Make sure to disable password login once SSO has been enabled!

The security and maintenance benefits that Single Sign-On provides are lost when users can bypass SSO with passwords!