/
Single Sign-On (SSO) setup

Single Sign-On (SSO) setup

This page provides documentation on integrating an Identity Provider (IdP) with Unique's authentication system, enabling a seamless and secure SSO experience for the users. Unique uses Zitadel as its Identity and Access Management (IAM) solution and various IdPs can be connected to it for allowing users to login via Single Sign-On.



Supported Identity Providers

Unique supports all the IDPs that Zitadel supports in the version that is deployed on the environment where SSO will be setup. The list of supported identity providers can be found in Zitadel’s documentation in the “Configuring IdP Providers” section.

This documentation includes a guide for setting up SSO with Microsoft Entra ID, Generic OIDC and SAML, and will be expanded in the future with guides for other providers as needed.

Microsoft Entra ID (OIDC)

Create an app registration

An App Registration needs to be created in Microsoft Azure. This can be done in Azure under App registrations > New registrations.

c23f3ac4-5541-4783-86fe-2cd4abfab18f.png
Registering an app registration in Azure

Configure the following:

  • Choose a name (e.g.: “Unique FinanceGPT”)

  • Select who should have access to this application

  • Redirect URL → select “Web” and enter the callback URL for the environment you’re running on

Redirect URL is environment specific

  • Multitenant

    • https://id.unique.app/ui/login/login/externalidp/callback

  • Single tenant

    • https://id.<your-tenant-name>.unique.app/ui/login/login/externalidp/callback

  • Customer managed tenant

    • https://<custom-unique-zitadel-url>/ui/login/login/externalidp/callback

Authentication

After the app registration has been created, navigate to the “Authentication” section and make sure the “Access tokens” and “ID tokens” settings are selected. This is to ensure that the Access token and ID token are issued and sent along when a user uses SSO to login to Unique.

  • ID token → contains information about the user (name, email, group IDs)

  • Access token → used for making an additional Microsoft GraphAPI request to get the group names

Screenshot 2024-06-14 at 09.22.52-20240614-072313.png
Configure Access tokens and ID tokens to be included with SSO

Token configuration

Next navigate to the “Token configuration” section and add necessary claims to the token. This is to ensure that the needed claims are sent on the ID token.

If you want to be able to sync your user groups from Azure to Unique, make sure to also add the groups claim as shown in the second screenshot below. What kind of groups you want to include on the groups claim is ultimately up to you. Unique recommends to include only the groups assigned to the application in order to have more control over what groups are synced and avoid exceeding the limit on the number of groups that can be included on the ID token.

API permissions

Under the “API permissions” navigation entry you need to configure the correct permissions for the Microsoft Graph API. The permissions should include:

  • email

  • openid

  • profile

  • User.Read

  • GroupMember.Read.All

The GroupMember.Read.All permission (