👥 Roles and permissions

Hyperproof supports single sign-on (SSO) with several different identity providers such as Okta, Microsoft Entra ID, and JumpCloud. When SSO is configured, users in a Hyperproof organization can log in to Hyperproof using the credentials stored in their company’s identity provider.
​

Once SSO has been configured in a Hyperproof organization, the administrators of that organization can require SSO for all users with an email address that matches the SSO domain assigned to the organization (referred to as domain users in this article). For example, if the SSO domain assigned to the organization is luna.com, once SSO Required is selected during setup, [email protected], [email protected], and all other @luna.com users are required to log in via SSO using Luna’s identity provider.
​

When SSO is required, users invited to the organization who do not have a matching email address, e.g., [email protected], are not required to log in via SSO. Additionally, the administrators of the organization always have the option of logging in with non-SSO options. This helps to ensure that the organization administrators can always correct any SSO configuration issues that might arise.
​

More information on the SSO Required option can be found in Requiring SSO for login.

📝 Note

Hyperproof does not currently support user provisioning via SSO. If you'd like to see this feature in Hyperproof, please submit a feature request.

In an organization where SSO has been configured, invitations sent to domain users behave differently based on whether the organization has SSO Required set or not.

📝 Note

Organization invitations are time-sensitive and expire after 30 days.

SSO Required is not set
​

When SSO is not required, the invitation that a domain user receives contains a link that always directs them to the standard Hyperproof sign-in page, i.e. there is no redirect to the configured identity provider. The user may log in with any of the options presented there (e.g. Google or Office 365), and as long as the email address they use to log in matches the email address in the invitation, they can accept the invitation and join the organization.
​

Subsequently, the user may choose to log out of Hyperproof and log in using the SSO URL or log in directly from the identity provider’s portal, if the identity provider offers that option. As long as the email address associated with the user in the identity provider is the same as the email address that was used when they accepted the invitation, they will be allowed to log in to Hyperproof and will be properly recognized as the same user. SSO URL examples include:

SSO Required is set
​

When SSO is required, the invitation sent to a domain user contains a link that takes them to Hyperproof as expected. Hyperproof will then recognize that they are required to log in via SSO (because their email address matches the SSO domain) and they will be redirected to the configured identity provider so that they can log in via SSO. Once they have logged in via SSO, they will be able to accept the invitation as long as the email address associated with the user in the identity provider matches the email address in the invitation.
​

Invitations to other users
​

Invitations sent to users without an email address matching the assigned SSO domain always direct the user to the standard Hyperproof sign-in page.

📝 Note

Microsoft has renamed Azure AD to Microsoft Entra ID.

For organizations that leverage Microsoft Entra ID, Hyperproof supports SSO using the OpenID Connect (OIDC) protocol.
​

Once via Microsoft Entra ID OIDC is configured in the Hyperproof organization, domain users can sign in using SSO. And, as with other identity providers, the invitation behaviors described in the above section apply. In an organization configured for SSO with Microsoft Entra ID, if SSO Required is not set, invited users are taken to the standard Hyperproof sign-in page where they can choose a sign-in option. Given that Microsoft Entra ID is the identity provider, many users might choose Hyperproof's built-in Office 365 option since signing in with Office 365 uses the same identity information.
​

It’s worth noting that signing in with Office 365 may look and feel like signing in with SSO using Microsoft Entra ID via OIDC, but the two sign-in mechanisms are distinct. Because they are distinct, i.e., they are different apps in Microsoft Entra ID, a Directory user might be enabled for one option but not the other.
​

For example, you might have configured SSO with Microsoft Entra ID and made it possible for some or all of your Directory users to leverage that integration to log in to Hyperproof. However, if you don’t have SSO Required set, and if you have not granted these users the ability to consent to applications that access corporate data (see below), they may not be able to log in via the Office 365 option since it requires consent. If the user is not able to log in, they can't accept the invitation and join the Hyperproof organization.
​

Similarly, the Microsoft Entra ID users in an organization may be granted the ability to consent to applications that access corporate data, but they may not be members of the Hyperproof Enterprise Application which is used during SSO. In this case, the user would be able to accept the invitation (because they were able to log in using the Office 365 option) but they will not be able to log in via SSO.
​

Controlling user consent (signing in with Office 365)
​

The user content settings in Microsoft Entra ID can be found in the Microsoft Entra ID portal under Enterprise Applications > Consent > Applications.
​

These options control whether or not users can connect to apps like Hyperproof that request access to your organization’s data. For more information on user and admin consent in Microsoft Entra ID, refer to this Microsoft article.
​

Controlling SSO access (signing in using Microsoft Entra ID SSO)
​

To control which of your Microsoft Entra ID users have permission to log into Hyperproof using SSO, you can use the Enterprise Application settings for the Hyperproof SSO application in Microsoft Entra ID.
​

In the Microsoft Entra ID portal, navigate to Enterprise Applications and then find the Hyperproof application that corresponds with the app registration you created when you configured SSO. See Enabling single sign-on with Microsoft Entra ID via OIDC or Enabling single sign-on with Microsoft Entra ID via OIDC for Hyperproof Gov. On the Properties tab of this application, there is an Assignment required option that controls whether or not users have to be explicitly added to the application to be able to use it.
​

If you set Assignment required to Yes, you can use the Users and Groups tab on the same page to add users to the application.