In this article 

What is Single Sign-On (SSO)?

Single sign-on is a highly secure user authentication process that allows a user to log in with a single ID and password to any of several related, yet independent, software systems.

Ezekia supports SSO and uses OpenID Connect (OIDC) to communicates to and from your Identity Provider (IdP). To provide single sign-on services for your domain, Ezekia acts as a service provider (SP).


Your users must have an active Ezekia account to use Single Sign-On (SSO).

Supported Features

The Ezekia OIDC SSO integration currently supports the following features:

  • IdP-initiated SSO
  • SP-initiated SSO
  • SLO (Single Log Out)

Configure Single Sign-On (SSO) for Microsoft Azure

Registering the App in Microsoft Azure

1. Sign into your Microsoft Azure Account, then click on "Azure Active Directory".


2. Click on "App registrations", then "New Registration".



3. A page should appear asking you to "Register an application".

  1. Enter "name" as "Ezekia SSO".
  2. Click "Accounts in this organizational directory only (Default Directory Only – Single tenant)".
  3. Ignore the Redirect URI (optional) for the time-being as we will come back to this later.
  4. Click "Register".


4. Sign into the Ezekia website using your email and password. Please note you must already be a registered user with Ezekia.


5. Navigate to the "Integrations" section of "Settings".

  1. Click on the burger menu in the top right and then click on "Settings".
  2. When done, click on "Integrations", then click the "Ezekia SSO" button.


6. For "Select Provider", click on "Microsoft Azure".


Retrieving the Client ID

7. Go to the "Ezekia SSO" App in Microsoft Azure, and copy the "Application (client) ID".


8. Paste the value in the "Client Id" field in Ezekia.


Generating and Retrieving the Client Secret

Please note that the "client secret" you submit below is securely encrypted in our database.



9. Go to "Certificates & Secrets" and click "New Client Secret.

10. When done, copy the "client secret".


11. Paste the value in the "Client Secret" field in Ezekia.


Retrieving the Well Known URL

12. Go to "Overview", then "Endpoints". Copy the value in "OpenID Connect metadata document".


13. Paste the value in the "Well Known URL" field in Ezekia. When done, press "Submit".



Sending the Redirect URIs to Microsoft Azure

14. You should now have a few redirect URIs showing on-screen and each of these will need to be copied to Microsoft Azure.


15. Go back to Microsoft Azure, click "Authentication", then "Add a platform". Then choose "Web".


16. Copy each of the Redirect URIs from Ezekia and paste into Microsoft Azure.



17. When done, tick "Access tokens" and "ID tokens". Then click "Save".


Login using Single Sign-On (SSO) in Ezekia


18. Click "Activate SSO" to enable single sign-on for your team.


19. Sign out of Ezekia. You should now be redirected to the login page of the website.

20. Click "Log in with Single Sign-On".


21. Enter your email address so Ezekia can retrieve your SSO connection details and then click "Log In".


22. Ensure you allow consent on the behalf of your organization.


23. You should have now successfully signed in with Single Sign-On (SSO).


Configure Single Sign-On (SSO) for Okta

Create a new Okta App Integration


1. Sign into Okta, then click on "Applications", then "Applications", then click on "Create App Integration".

2. The "Create a new app integration" modal should now appear. For Sign-in method, choose "OIDC - OpenID Connect". For Application type, choose "Web Application". Click "Next".



3. Add ‘Ezekia’ as the ‘App integration name’. For ‘grant type’, click to select ‘Client Credentials’ and 'Implicit (hybrid)'.


4. Under "Assignments - Controlled Access", specify what level of access you want. Then click "Save".


Setting up Single Sign-On (SSO) for Ezekia

5. Sign into the Ezekia website using your email and password. Please note you must already be a registered user with Ezekia.


6. Navigate to the "Integrations" section of "Settings".

  1. Click on the burger menu in the top right and then click on "Settings".
  2. When done, click on "Integrations", then click the "Ezekia SSO" button.


7. For "Select Provider", click on "Okta".


Retrieving the Okta Client ID

8. In Okta, copy the "Client Id".


9. Paste the value into the "Client Id" field in Ezekia.


Generating and Retrieving the Okta Client Secret

10. Back in Okta, copy the "Client Secret".


11. Paste the value into the "Client Secret" field in Ezekia.


Retrieving the Okta Domain

12. Finally in Okta, copy the "Okta Domain".


13. Paste the value into the "Okta Domain" field in Ezekia.


14. There is no need to fill in the "Idp Id" field as we are not using an external identity provider. Press "Submit".


Sending the Redirect URIs to Okta

15. The submitted form should now return a list of both "Redirect URIs" and "Logout URIs". These are required to ensure the callback process between Ezekia and Okta is secure and successful.


16. You will need to copy each one and paste to Okta by navigating to "Applications", choosing "Ezekia", then scroll down to "General Settings" and "Edit".


Adding People to Okta to allow access

17. In Okta, go to "Directory", then "People", then click "Add Person". These people will be able to use their accounts to successfully sign into Ezekia. They must already have an Ezekia account set up already.


Login using Single Sign-On (SSO) in Ezekia

18. Click "Activate SSO" to enable single sign-on for your team.


19. Sign out of Ezekia. You should now be redirected to the login page of the website.

20. Click "Log in with Single Sign-On".


21. Enter your email address so Ezekia can retrieve your SSO connection details and then click "Log In".


22. You should have now successfully signed in with Single Sign-On (SSO).

Configure Single Sign-On (SSO) for Okta from App Catalog

Install the Okta App from the App Catalog


1. Sign into Okta, then click on "Applications", then "Applications", then click on "Browse app catalog", and search for "Ezekia".


2. When selected, click "Add" to install into your Applications.


3. Then click "Done".


Setting up Single Sign-On (SSO) for Ezekia

4. Sign into the Ezekia website using your email and password. Please note, you must already be a registered user with Ezekia.


5. Navigate to the "Integrations" section of "Settings".

  1. Click on the burger menu in the top right and then click on "Settings".
  2. When done, click on "Integrations", then click the "Ezekia SSO" button.


6. For "Select Provider", click on "Okta".


Retrieving the Okta Client ID

7. In Okta, copy the "Client Id".


8. Paste the value into the "Client Id" field in Ezekia.


Generating and Retrieving the Okta Client Secret

9. Back in Okta, copy the "Client Secret".


10. Paste the value into the "Client Secret" field in Ezekia.


Retrieving the Okta Domain

11. Finally in Okta, copy the "Okta Domain".


12. Enter the value into the "Okta Domain" field in Ezekia.


13. There is no need to fill in the "Idp Id" field as we are not using an external identity provider. Press "Submit".

Adding People to Okta to allow access

14. In Okta, go to "Directory", then "People", then click "Add Person". These people will be able to use their accounts to successfully sign into Ezekia. They must already have an Ezekia account set up already.


Login using Single Sign-On (SSO) in Ezekia

15. Click "Activate SSO" to enable single sign-on for your team.


16. Sign out of Ezekia. You should now be redirected to the login page of the website.

17. Click "Log in with Single Sign-On".


18. Enter your email address so Ezekia can retrieve your SSO connection details and then click "Log In".


19. You should have now successfully signed in with Single Sign-On (SSO).

Configure Single Sign-On (SSO) for Okta using Microsoft Azure

Registering the App in Microsoft Azure


1. Sign into your Microsoft Azure Account, then click on "Azure Active Directory".


2. Click on "App registrations", then "New Registration".


3. A page should appear asking you to "Register an application".

  1. Enter "name" as "Ezekia SSO".
  2. Click "Accounts in this organizational directory only (Default Directory Only – Single tenant)".
  3. Ignore the Redirect URI (optional) for the time-being as we will come back to this later.
  4. Click "Register".


Create a new Okta App Integration

4. Sign into Okta, then click on "Applications", then "Applications", then click on "Create App Integration".
5. The "Create a new app integration" modal should now appear. For Sign-in method, choose "OIDC - OpenID Connect". For Application type, choose "Web Application". Click "Next".


6. Add ‘Ezekia’ as the ‘App integration name’. For ‘grant type’, click to select ‘Client Credentials’ and 'Implicit (hybrid)'.


7. Under "Assignments - Controlled Access", specify what level of access you want. Then click "Save".


Adding Microsoft Azure as an identity provider in Okta

8. Navigate to "Identity Providers", then, click on "Add Identity Provider", then select "Add OpenID Connect IdP".


9. Go to your Microsoft Azure Portal, and copy your "Client Id".


10. Then paste it into Okta.


11. Go back to your Microsoft Azure Portal, and create a "client secret".


12. Copy the "client secret" key from Microsoft Azure.


13. Then paste it into Okta.


14. Next, in the Microsoft Azure portal, click on "Overview", then "Endpoints". Copy the link under "OpenID Connect metadata document".


15. Paste the copied URL into a web browser.


16. Copy the above values and paste into the relevant fields in Okta. When done, click "Show Advanced Settings".


17. Click on "Redirect to Okta sign-in page" and then "Update Identity Provider".


18. Now that the identity provider has been configured, it should now display a "Redirect URI". Copy this value.


19. Back in Okta, click on "Authentication" and then "Add a platform". Choose "Web".


20. Paste the redirect URI in the "Redirect URIs" panel. Also, tick "Access tokens" and "ID tokens", then press "configure".


Setting up Single Sign-On (SSO) for Ezekia

21. Sign into the Ezekia website using your email and password. Please note you must already be a registered user with Ezekia.


22. Navigate to the "Integrations" section of "Settings".

  1. Click on the burger menu in the top right and then click on "Settings".
  2. When done, click on "Integrations", then click the "Ezekia SSO" button.


Retrieving the Okta Client ID

24. In Okta, copy the "Client Id".


25. Paste the value into the "Client Id" field in Ezekia.


Generating and Retrieving the Okta Client Secret

26. Back in Okta, copy the "Client Secret".


27. Paste the value into the "Client Secret" field in Ezekia.


Retrieving the Okta Domain

28. Finally in Okta, copy the "Okta Domain".


29. Paste the value into the "Okta Domain" field in Ezekia.


Retrieving the Okta IdP ID

30. Do the same for the "IdP ID" by navigating to "Security", then to "Identity Providers".


31. Paste the value into the "Idp ID" field in Ezekia. When done, press "Submit".


Sending the Redirect URIs to Okta

32. The submitted form should now return a list of both "Redirect URIs" and "Logout URIs". These are required to ensure the callback process between Ezekia and Okta is secure and successful.


33. You will need to copy each one and paste to Okta by navigating to "Applications", choosing "Ezekia", then scroll down to "General Settings" and "Edit".


Adding People to Okta to allow access

34. In Okta, go to "Directory", then "People", then click "Add Person". These people will be able to use their accounts to successfully sign into Ezekia. They must already have an Ezekia account set up already.


Login using Single Sign-On (SSO) in Ezekia

35. Click "Activate SSO" to enable single sign-on for your team.


36. Sign out of Ezekia. You should now be redirected to the login page of the website.

37. Click "Log in with Single Sign-On".


38. Enter your email address so Ezekia can retrieve your SSO connection details and then click "Log In".


39. You should have now successfully signed in with Single Sign-On (SSO).


Single Logout (SLO)


Single Logout (SLO) is a feature where end users can sign out of both their identity provider session and Ezekia. Click here to logout of Ezekia if are experiencing issues.


IMPORTANT!
When you finish using the computer you must ensure that you have logged out from each Single Sign-On service you have used in the session AND also logout from the Single Sign-On system itself.



Renewing the Client Secret for Microsoft Azure


1. In Microsoft Azure, go to "Certificates & Secrets" and click "New Client Secret.

2. Enter a description and set an expiry date for the client secret.

3. When done, copy the "client secret".



4. Sign into Ezekia, go to your SSO settings and paste your new client secret, then click 'update'.


5. Your client secret has now been updated


Renewing the Client Secret for Okta


1. In you Okta account, go to Applications and choose the Ezekia application.


2. Click 'Generate new secret' and copy it.



3. Sign into Ezekia, go to your SSO settings and paste your new client secret, then click 'update'.



Make SSO Mandatory for all users


IMPORTANT!
Before enabling this feature, you must test SSO is working correctly and ensure all users are enable for SSO on your identity provider.


If your require all users in your firm to sign into Ezekia using SSO only, you will need to enable the 'Make Single Sign-On (SSO) Mandatory?' button in Settings > Global > Security.




Please note that if you If your organization uses Single Sign-On (SSO) with 2FA enforced by your identity provider, you will not be required to set up or use Ezekia’s 2FA.