Generally, any OpenID connect capable system can be connected to Operations1 for Single-Sign-On (or SSO / SSO-Login), as long as the OpenID connect provider for the Operations1 cloud instance is available for the necessary requests. Microsoft offers such an OpenID connect capable system via the Microsoft Identity Platform, also known as Azure Active Directory. If Office356 is used in your company, it is likely that you already have an Azure Active directory.

Customers that use Microsoft Azure Active Directory can connect their directory with their Operations1 server to authenticate users and manage access to the application. This avoids duplication of user data and provides better security and access control since no passwords need to be transmitted to the Operations1 server and user data can be managed from one central place. This single sign-on feature can be used in parallel with normal password authentication.

The main requirement for an integration with a customer's Active Directory is that it's available as an:

If you are using Microsoft Office 365, that's most likely already the case. For existing on-premise directories Microsoft offers Azure AD Connect Sync to connect the local directory to the Azure cloud securely.

The Operations1 server will then be registered as an app on the Azure Active Directory. It will use Microsoft's OpenID connect endpoints to authenticate users when they log into the Operations1 application, as well as to fetch basic information like their name and email address. Authentication with Kerberos, ADFS or LDAP on an on-premise Active Directory is currently not supported.

It is also possible to connect other single sign-on solutions to Operations1 if they support the OpenID connect standard. The following steps are specific to the Microsoft Identity platform but can be translated to other authentication providers as well.

Before getting started, please make sure that the following things are given:

1) Register an application with Azure Active Directory

Login to the Azure Portal and make sure you have the appropriate permissions to register applications with your Azure Active Directory. Navigate to "Azure Active Directory" then to "App registrations" and click on "New registration". Enter a name for the application and set the supported account types. You most likely only want to allow single tenant access. Click "Register" to get redirected to the Overview page for the new application. Official Microsoft documentation for registering an application: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

2) Redirect URLs

Navigate to the "Authentication" section of the newly registered application. Click the "Add a platform" button and select "Web". Enter the following redirect URLs for your company server:

Replace the domain name with the one for your Operations1 application. For example, if you reach your Operations1 instance under mycompany.operations1.app replace mycompany.

Also make sure you check the "ID tokens" option at the bottom.

Then confirm with the "Configure" button at the bottom.

If your Operations1 instance still has a cioplenu.app domain available, you have to add a URI to the redirect URIs with https://mycompany.cioplenu.app/login/oidc-success to enable the single sign-on when using the old domain.

3) Add a client secret

For the Operations1 server to authenticate with Azure you will also have to generate a client secret in the "Certificates & secrets" section. Select "New client secret" in the "Client secrets" tab, give it a description and set an expiration date.

Please note that the login will stop working when the secret expires, so make sure you select an appropriate time period and rotate the secret when it expires. If you generate a new secret you will have to add it to the configuration in Operations1 as well (see Step 4).

Then "Add" the secret and keep the browser tab open or copy the secret value, since it will not be accessible in the future.

4) Add Token configuration

To use first and last name of the user from Azure you need to configure additional optional claims for the ID tokens. These two properties will be synced only on the frist login of the user. You can do this in the "Token configuration" section. The needed claims are family_name and given_name.

You might also need to add the profile API permissions for the app for this to work. Azure will show a warning if it's not yet configured. The email scope always needs to be enabled for the integration to work.

Additionally, you will need to grant admin consent to the application in the "Api permissions" section.

5) Activate the Azure Login in Operations1

Login to your Operations1 with a user account that has the permission to change settings. Navigate to System settings → Auth Providers. Add a new authentication provider and give it a name like "Login with Azure".

Enter the client secret and copy the Application ID from the "Overview" page of the Application configuration page in Azure. For the OIDC issuer click the "Endpoints" button in the "Overview" section and copy the URL labelled "OpenID connect metadata document".

Select a default role for users who log in with Azure for the first time, and if desired configure a welcome message for new users. Additionally you can select a standard group for new users.

You can use URLs and mailto links in the welcome message. Then save the configuration and make sure it's activated.

6) Login with Azure

If you now log off, you should see a new "Login with Azure" button. If it's not yet visible, reload the page. At the first login, you will have to confirm that Operations1 is allowed to access your account information. You can consent on behalf of your organization if you want to.