Single Sign-On (SSO) setup
This page provides documentation on integrating an Identity Provider (IdP) with Unique's authentication system, enabling a seamless and secure SSO experience for the users. Unique uses Zitadel as its Identity and Access Management (IAM) solution and various IdPs can be connected to it for allowing users to login via Single Sign-On.
Supported Identity Providers
Unique supports all the IDPs that Zitadel supports in the version that is deployed on the environment where SSO will be setup. The list of supported identity providers can be found in Zitadel’s documentation in the “Configuring IdP Providers” section.
This documentation includes a guide for setting up SSO with Microsoft Entra ID, Generic OIDC and SAML, and will be expanded in the future with guides for other providers as needed.
Microsoft Entra ID (OIDC)
Create an app registration
An App Registration needs to be created in Microsoft Azure. This can be done in Azure under App registrations > New registrations.
Configure the following:
Choose a name (e.g.: “Unique FinanceGPT”)
Select who should have access to this application
Redirect URL → select “Web” and enter the callback URL for the environment you’re running on
Redirect URL is environment specific
Multitenant
https://id.unique.app/ui/login/login/externalidp/callback
Single tenant
https://id.<your-tenant-name>.unique.app/ui/login/login/externalidp/callback
Customer managed tenant
https://<custom-unique-zitadel-url>/ui/login/login/externalidp/callback
Authentication
After the app registration has been created, navigate to the “Authentication” section and make sure the “Access tokens” and “ID tokens” settings are selected. This is to ensure that the Access token and ID token are issued and sent along when a user uses SSO to login to Unique.
ID token → contains information about the user (name, email, group IDs)
Access token → used for making an additional Microsoft GraphAPI request to get the group names
Token configuration
Next navigate to the “Token configuration” section and add necessary claims to the token. This is to ensure that the needed claims are sent on the ID token.
If you want to be able to sync your user groups from Azure to Unique, make sure to also add the groups claim as shown in the second screenshot below. What kind of groups you want to include on the groups claim is ultimately up to you. Unique recommends to include only the groups assigned to the application in order to have more control over what groups are synced and avoid exceeding the limit on the number of groups that can be included on the ID token.
API permissions
Under the “API permissions” navigation entry you need to configure the correct permissions for the Microsoft Graph API. The permissions should include:
email
openid
profile
User.Read
GroupMember.Read.All
The GroupMember.Read.All
permission (