SSO setup guide
Setting Up Single Sign-On with Azure AD (SSO)
If you are using NNTB, only links to the auth domain are on FaceUp. Other names could be what you want.
You can use an OIDC platform
- Sign in to Azure and go to "Azure Active Directory"
- Go to the "Overview" of your Default Directory
- Go to "App Registration" (Link located in footer of "Overview")
- Name it something along the lines of "FaceUp SSO" or "NNTB SSO" or what you like
- Set the Redirect URI to https://www.auth.faceup.com/oauth2/idpresponse (for US data hosting use https://www.us-west-1-auth.faceup.com/oauth2/idpresponse)
- Click “Register”
- Navigate To "Branding"
- Set Home page URL to https://www.admin.faceup.com/sso or https://www.admin.nntb.cz/sso or https://www.admin.nntb.sk/sso
- Save
- Navigate To API Permissions
- Click "Add Permission"
- Click “Microsoft Graph”
- Click "Delegated Permissions"
- Type "email" in search field and check "email"
- Type "offlineaccess" in search field and check "offlineaccess"
- Type "openid" in search field and check "openid”
- Type "profile" in search field and check "profile"
- Type "User" in search field and check "User.Read"
- Click "Add Permissions" (or “Update permissions”)
- Click "Grant Admin Consent for <your tenant name>" (Might Not Show Up Until We Setup the app)
- Navigate To "Certificates & secrets"
- Click "New Client Secret"
- Name it something along the lines of "SSO"
- Set Expiration to whichever suits your use case best
- Click "Add"
- Secret key will only be available just this once. Please temporarily copy it to a text file. Otherwise you need to create a new one next time.
- Navigate To "Overview"
- Temporarily Copy "Application (client) ID" to a text file
- Temporarily Copy "Directory (tenant) ID" to a text file
- Login to FaceUp/NNTB administration
- Navigate to "Settings"
- Click “Organization settings” (be sure to be an admin, having settings access, and in top organization in the list)
- In the "Single Sign-On" Form
- Set "Provider URL" to https://login.microsoftonline.com/<tenant>/v2.0 (Replace the <tenant> with the "Directory (tenant) ID" you copied to temporary text file from earlier)
- Set "Client ID" to the "Application (client) ID" you copied to temporary text file from earlier
- Set "Client Secret" to the "Client Secret" you copied to temporary text file from earlier
- Click “Save changes” (all existing users and new ones except yours will login with SSO, they will get notification email. They will be unable to login with their password right now, but only with AzureAD)
- Back In "Azure Active Directory"
- Navigate to Your "FaceUp SSO" (or "NNTB SSO" or name you have chosen) App if you're not already there
- Navigate To "API permissions"
- Click "Grant Admin Consent for FaceUp SSO" - the name could be different ("NNTB SSO" or name you have chosen) (Might Not Be There if Permissions Were Already Granted)
- You're Done! Users will need to login using the SSO Page (https://www.admin.faceup.com/sso or https://www.admin.nntb.cz/sso or https://www.admin.nntb.sk/sso)