SSO (Single Sign-On) is a method of signing your users into a service or a platform with an existing user base that your organization already has (e.g. Microsoft, Google).
There are several benefits of using such a service:
Your employees authenticate via one service.
Adding and removing employees from your organization can be done from your own user management tool such as Active Directory.
You may add an extra layer of security/limitation to your users via the service you are using, for example: add a user & groups under Azure.
Prerequisites
A. To get started, you need An Azure AD subscription. If you don't have a subscription, you can get a free account.
B. Eloops subscription.
Architecture/How it Works
Eloops uses Server-to-Server architecture. The client requests a sign-in/sign-up process with an invitation code and an e-mail. Eloops’ server will return the right way for the user to sign-in, in this case, a Microsoft Single-Sign-On Authentication URL. The user enters his credentials and authenticates with Microsoft (In the client). Sent the authorization-token to Eloops’ server for the rest of the process and wait for the server to return an answer. The hard work happens on the server. The following diagram illustrates the OAuth SSO flow.
A user launches the mobile app/ admin dashboard and enters the invitation-code (from his administrator/manager) and his work e-mail address, then submits a request to Eloops’ Server.
Eloops’ Server processes his request and returns a specific generated URL (specific to the organization).
Then the OAuth authorization screen appears. The user enters his Microsoft credentials and submits.
Once the user successfully authenticates, the Microsoft Authentication Server returns an authorization token.
The client sends a request to Eloops’ Server with the authorization token and waits for the server to process his request.
Eloops’ Server sends a token request, with the authorization code, to the Authorization Server.
The Authorization Server exchanges the authorization code for an OAuth access token and a refresh token, then send those tokens to Eloops’ Server.
Once Eloops’ Server receives those tokens back, it sends an access request to the Azure AD Server.
The Azure AD Server contacts the Authorization Server to validate the token and returns information about the user, including e-mail, first name, last name, and possibly the user phone number.
Eloops’ Server then either match that user to an existing user or create a new user under Eloops' Server and then allows access to the mobile app or Admin Dashboard.
App Registration Setup
In this section, you will configure the App Registration under Azure AD.
A. Login to Azure portal: https://portal.azure.com
B. Tap the Azure Active Directory button on the side menu, then select the App Registrations.
C. Tap the New Registration button.
A. At the name filed enter: Eloops
B. Under the Support account types section, select the Accounts in this organization as the only option.
C. Under the Redirect URI section, add the following redirect URIs:
1. https://app.eloops.com/auth/microsoftSso
3. https://msteams.eloops.com/msteams/auth/microsoftSso
D. Tap the Register button at the bottom.
*The URI type should be web.
Go back to the App Registration Screen and select the newly created app.
Tap the Branding button
A. Add the Eloops’ logo. You can download it here.
B. Home page URL: https://eloops.com.
C. Terms of Service: https://eloops.com/terms-of-service
D. Privacy Statement URL: https://eloops.com/privacy-policy
Tap the Certificates & secrets button, then select the New client secret button.
A. Add a description, to identify the new secret.
B. Under the expire section, select the option that fits your needs best.
C. Tap the Add button.
D. At the table you will notice a new secret token is now available. Make sure to copy the secret as you won’t be able to do it later.
E. Save the secret string for later. You will use it in the Eloops app setup.
Tap the API permissions button. You should give the appropriate permission to the app you are creating.
Eloops needs the following permissions
User.Read - Required with Admin consent
offline_access - Required with Admin consent
openId - Required with Admin consent
email - optional
A. Tap the Add a permission button.
B. Select the Microsoft Graph option, then select Delegated permissions, finally, search for the required permissions.
C. Add the following permissions:
User.Read
User.ReadBasic.All
email
offline_access
openid
D. Tap the Add permissions button.
Eloops App Setup (Network setup)
Eloops needs the following items to be able to connect and sync with Azure:
A. Application (Client) id. Go back to the App Registration, then tap the newly created app called ‘Eloops’, under the Overview section you should see the client-id.
B. The secret from the above step. In case you didn’t save it, tap the Certificates & secrets button, then generate a new secret.
C. Your tenant-id. Eloops uses the tenant-id for the authorization flow and to get a token from Microsoft. Eloops uses the tenant-id in the following URLs: https://login.microsoftonline.com/{tenant}/oauth2/authorize / https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Final Tests
To make sure the integration is working, create a new user (employee) under Azure. Make sure to have the same configuration as the rest of the users.
A. Open Eloops’ mobile application
B. Enter your application’s invitation code (You should find it under Eloops’ Admin Dashboard)
C. Enter the newly created Azure email address.
D. A Microsoft login page will be shown, enter the user’s credentials
E. You should be able to login successfully and see all Eloops’ information under your application/network
Next Step
Eloops also support Talent sync integration and SFTP sync integration. Please contact us for more information.