Skip to main content

Enabling single sign-on with Microsoft Entra ID via OIDC

Written by Hyperproof Support
Updated over 3 weeks ago

👥 Roles and permissions

  • Only administrators can enable SSO for the organization

📝 Note

Microsoft has renamed Azure AD to Microsoft Entra ID.

Hyperproof supports single sign-on (SSO) with Microsoft Entra ID via OpenID Connect (OIDC). Once SSO is enabled for your organization, Hyperproof users will be able to log in with their Microsoft Entra ID credentials using a custom URL that is specific to your organization.

  • If your organization is in Hyperproof US, an example of a custom URL is: https://luna.hyperproof.app

  • If your organization is in Hyperproof EU, an example of a custom URL is: https://luna.hyperproof.eu

The first step towards enabling SSO in your organization is to add Hyperproof to your Microsoft Entra tenant. You’ll need a subdomain provisioned by Hyperproof Support. To get your subdomain, create a support request asking for SSO setup.

📝 Note

If the domain is a .com address, the subdomain is set as the domain without the .com suffix.

If the domain is not a .com address, the subdomain is set as the domain name without the period.

Examples

Domain name

Subdomain

http://acme.com

acme

http://lunabtechnologies.com

lunabtechnologies

http://techstartup.io

techstartupio

http://whitehouse.gov

whitehousegov

📝 Note

If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:

Step One: Creating an app registration in Microsoft Entra ID

  1. Log in to the Microsoft Entra ID portal as an Administrator.

  2. Enter App registrations in the search bar at the top of the page.

  3. Click + New registration.

  4. Specify the following settings for the new application.

    Name - Enter a display name for this application.

    Supported account types - Select Accounts in this organizational directory only (Default Directory only - Single tenant).

    Redirect URI - Select Web from the drop-down and enter the following:

    For Hyperproof US the URI is:

    https://signin.hyperproof.app/login/callback

    For Hyperproof EU the URI is:

    https://signin.hyperproof.eu/login/callback

  5. Click Register.

  6. Copy the Application (client) ID value and save it for later.

  7. Click Endpoints.

  8. Copy the OpenID Connect metadata document value and save it for later.

  9. From the left menu, select Branding > properties.

  10. In the Upload new logo field, upload the Hyperproof logo file. Click here to download the file

  11. In the Home page URL field, enter your organization's Hyperproof URL, e.g. https://luna.hyperproof.app/signin for Hyperproof US, htttps://luna.hyperproof.eu/signin for Hyperproof EU.

    📝 Note

    Steps 11 - 13 are required for the IdP-initiated sign-in to work.

  12. In the Terms of service URL field, enter https://hyperproof.io/terms-of-use/.

  13. In the Privacy statement URL field, enter https://hyperproof.io/privacy-policy/.

  14. Click Save.

  15. From the left menu, select Certificates and secrets.

  16. Click + New client secret.

  17. Enter a description for secret, e.g. Hyperproof secret.

  18. From the Expires drop-down menu, select a value.

  19. Click Add.

  20. Copy the new secret's value and save it for later.

    📝 Note

    Do not skip this step! You can only view the value once.

  21. From the left menu, select Token configuration.

  22. Click + Add Optional Claim.

  23. Select the ID radio button, and then select the email, family_name, and given_name checkboxes.

  24. Click Add.

  25. You’ll be prompted to add permissions for Microsoft Graph. Select the checkbox, and then click Add.

  26. Enter Enterprise applications in the search bar at the top of the page.

  27. Select the app you just created.

  28. From the left menu, select Properties.

  29. Toggle on Visible to users?. Note that if this option isn't toggled on, users won't be able to see the Hyperproof tile in their SSO application menu.

📝 Note

Make sure you have collected the following before proceeding to the next step:

  • Application (client) ID

  • OpenID Connect metadata document value

  • Client secret value

Step Two: Configuring Microsoft Entra ID in your Hyperproof organization

Once the Hyperproof application has been configured in Microsoft Entra, you’ll need to add the client ID, client secret, and metadata document URL to the SSO configuration of your Hyperproof organization.

  1. Log in to Hyperproof as an Administrator.

  2. From the left menu, select Settings and then select Authentication.

    📝 Note

    The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.

  3. Toggle on Single Sign On (SSO).

    The Authentication window opens.

  4. From the Identity Provider drop-down menu, select Microsoft Entra ID via OIDC.

  5. In the Client Secret field, paste the client secret value you copied in Step 20 above.

  6. In the Metadata Document URL field, paste the metadata document URL you copied in Step 8 above.

  7. Click Save.

Step Three: Logging in to Hyperproof with SSO

You’ll be able to log in to Hyperproof using your Microsoft Entra credentials after SSO is fully configured for your Hyperproof organization.

At this point, you’ll have the option to make SSO required. If required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.

  1. Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.

  2. From the left menu, select Settings and then select Authentication.

  3. At the top of the screen, you will see your organization’s SSO URL. This is the URL that your organization's Hyperproof users will use to log in to Hyperproof.

    org-sso-name.png

  4. Copy the SSO URL to the clipboard.

  5. Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.

  6. Paste the SSO URL into a new browser tab and then press Enter.

    You’re redirected to Microsoft Entra ID where you can log in with your Microsoft Entra credentials. Once you’ve provided your Microsoft Entra credentials, you’ll be logged into Hyperproof automatically. If not, review the steps in the Step One: Creating an app registration in Microsoft Entra ID section above.

    If you were able to log in to Hyperproof successfully using SSO, you are ready to share the SSO URL with the other Hyperproof users in your organization.

Expired client secret

📝 Note

If your Hyperproof organization has SSO set to Required for all users and the client secret expires, all users will be locked out of Hyperproof and, therefore, unable to update the secret value.

The client secret and its expiration are owned by Microsoft Entra. Hyperproof has no way of knowing when the value is due to expire. It's highly recommended to set a task reminder for yourself to make the update proactively.

Over time your client secret may expire, preventing users in your organization from logging into Hyperproof. If users can't log in due to an expired client secret, create a new secret in Azure and ask a Hyperproof organization administrator to update that secret in Hyperproof.

Related Articles
Enabling single sign-on with JumpCloud
Invitations and single sign-on
Enabling single sign-on with Microsoft Entra ID via OIDC for Hyperproof Gov
Microsoft Entra ID SCIM Configuration
Enable and verify Microsoft Entra ID SCIM provisioning
Did this answer your question?