Wait... what's Indigo SSO?
Single Sign-On (SSO) is a fantastic remedy for login fatigue, and it's available to Indigo users!
By using just one set of credentials across multiple software systems, SSO not only saves time but also enhances security and simplifies software adoption.
The Procedure
β οΈ Important: Before initiating the SSO configuration process within the Indigo platform, ensure that you've completed the necessary steps in your Microsoft Entra ID tenant (which used to be known as the Azure Active Directory):
To find out why configuring your Microsoft Azure tenant is a crucial step, click here.
Configuring Single Sign-On (SSO) for Indigo involves three steps:
Integrating your Microsoft Entra ID Identity Provider (IdP) with Indigo;
Granting Indigo the permission to access the users you've set up in a specific security group on your IdP;
Enabling SSO logins from Administration > Main > Settings.
An optional 4th step lets you enforce SSO logins on any of your domains for user logins happening on browser.
By completing the first two steps, Indigo will be able to seamlessly integrate your employees' IdP users and automatically link them with their corresponding Indigo user profiles.
Once you've done that, all that's left is enabling the feature by ticking the appropriate checkbox in the settings.
π Note: To set up Indigo using the steps mentioned above, you'll need the Foundation_InstallationTenant permission. This permission works at the tenant level, allowing you to also configure identity providers for other domains within your tenant.
Step 1: Setting up the Identity Provider
The initial step in the configuration process involves setting up an IdP on Indigo.
From Indigo, go to Administration > Main > Identity Providers.
When you first access this screen, it will be empty since no IdPs will have been set up yet. To start, give your IdP a name and click Next.
Note: assigning a name to your IdP is a required step. You're free to choose any name, but it's advisable to select one that reflects the Identity Provider, especially if you plan to set up multiple providers.
Fill in the fields in the screen below, then click Next.
Note 1: to retrieve the majority of data required for this step, you need to configure Microsoft Entra ID. To learn how, click here. By default, the Group Name is filled in as Indigo Suite, but this can be changed to any other name. It must be the same as the security group in your Microsoft Entra ID tenant in which you have stored all of your employees' users.
Note 2: if you wish to ensure that the Client Secret you've entered has the correct character format, you can click Validate.
Clicking Next will prompt a blue text box to appear. This box will provide you with instructions to verify your domain. When verification is complete at the end of this step, domain ownership is also verified as a result.
After step 4, click Submit. A modal will appear, signalling the start of the automated domain verification process. Note: for your convenience, you can also find the TXT record in this modal, beneath the π gif.
Please be patient as, in rare cases, this process may take up to 48 hours. Periodically, click Check again to monitor progress.
If you close this window, switch off your system or disconnect from the internet before this process is completed, you can restart the process by clicking the lilac refresh βͺοΈ button on the IdP's card in Administration > Main > Identity Providers.
A drawer version of the window with the π gif and TXT record will emerge from the right side of your screen.
Finally, you'll know the process is complete when clicking Check again reveals the success confirmation screen displayed below. From here, click Confirm.
β Success! Your new Identity Provider has been set up. You can find it the next time you navigate to Administration > Main > Identity Providers in Indigo.
To set up another Identity Provider, restart the process by clicking Add another Identity Provider, highlighted in the screenshot above.
Step 2: Linking users in your Identity Provider to Indigo
After setting up the Identity Provider, the next step is to map your employees to their corresponding Indigo Users.
π Note: Before proceeding with this step in Indigo, ensure that these employees' user profiles have been placed in a designated security group within your Microsoft Entra ID. The security group needs to have the exact same name that you specified in the Group Name field (check step 1, no. 3).
If you haven't created this group of users on Microsoft Entra ID yet and need some help, find out how here.
Furthermore, for each user, Microsoft Entra ID lets you save both an email address and the User Principal Name. It is important to tell Indigo which of these two you want it to link users to before starting the next step (User Provisioning). To do this:
Click the three-dot menu button in the card's top right corner, followed by Settings.
Select your Preferred Username.
βClick Submit.
Important: Once you have provisioned your first user, this setting will be locked and greyed out. It will become available again if all provisioned users are unlinked.
Start by heading to Indigo, then Administration > Main > Identity Providers.
Find the correct Identity Provider and click the three-dot menu button in the top right corner of its card, followed by User Provisioning.
The following screen will appear. Please wait for the process to finish.
During this time, the system will be trying to match each user profile in your Indigo Suite security group in Entra ID with the following criteria, in order:
β’ Indigo Username;
β’ Indigo User Profile Email;
β’ Work Email.
A grid listing all the users you've inputted in the Microsoft Entra ID security group will load. Please review to ensure that all your desired users have been linked correctly without any issues.
Should none of the three Indigo parameters correspond to a user's characteristics within the security group of Microsoft Entra ID, the User Link column in the grid will not be populated for that individual.
β οΈ Warning: users that do not come up in the list will probably not have been entered into your Indigo Suite security group within Microsoft Entra ID. Additionally, if the above grid did not appear at all, double-check the data inserted in the fields during the initial configuration steps.
βπ Note: For your convenience, the Link Users grid also comes equipped with filtering options, a search bar, and several tags denoting the various statuses users in the grid can have, described at the bottom:
β’ Users already linked (Green β ): These users have been successfully linked in a previous session. No further action is needed as they are already linked.
β’ Users not linked (Yellow β οΈ ): Indicates that there is no Indigo User linked to this entry. Take action to resolve the linking, or leave it blank to create a new user (refer to the methods described in point 5).
β’ New Users linked (Blue π ): This indicates a new link created during the ongoing provisioning process. It occurs when you manually address a yellow (unlinked) user and link it to a user, or when you make a change to a green (already linked) user (for more details on how, see 5a).
β’ New Azure users (Clear / grey): These users were originally unlinked and left blank, and have now been automatically created and linked (for more details, see 5b).
Resolve unlinked users (if any) in your list. There are two ways to do this:
Manually link your unlinked users:
Click on the user's search field under the User Link column, as highlighted in the last screenshot.
Begin typing the email address of the corresponding missing employee and select the correct email from the dropdown that appears.
Once you've done this for all desired unlinked users, click Next.
β
ββ οΈ At this stage, manually inserting the wrong email might give confidential data access to the wrong user! Check each email BEFORE hitting Next. β οΈ
βββ οΈ If a user is linked to the wrong address, they will need to be manually unlinked and relinked. Here's how. β οΈ
βLet Indigo create user profiles for your unlinked users:
Leave the User Link fields blank for the unlinked users, then click Next. This will prompt Indigo to automatically create new user profiles for them.
On the next screen, attach the newly created Indigo users for the unlinked users to one or any of your companies registered on Indigo. Do this by ticking the companies as needed.
When done, click Finalise.
β Congratulations: You have completed the linking process. The following screen is the final one, confirming the successful linking of your users and indicating how many of them were linked.
You can now click Close Window and proceed to the final step.
Step 3: Enabling Indigo SSO from Settings
If you've followed this guide from beginning to end, by this point you'll have successfully:
β
Configured your Identity Provider on Indigo, granting the necessary permissions and setup for retrieving the users you've organised in a specific security group on Microsoft Entra ID;
β Completed the process to integrate them into Indigo and match them with their corresponding Indigo users.
In this case, all that remains is switching on SSO from Indigo itself.
Go to Administration > Main > Settings.
In the toolbar, click Edit.
Under Settings tick Enable SSO.
Back in the toolbar, click Save.
Now, all linked users will be able to use the Microsoft button on the login screen to sign in to Indigo using SSO.
(Optional) Step 4: Enforce SSO (on Browser)
Once you have configured SSO for Indigo and ensured that it is working correctly for your users, you may opt to enforce SSO logins to Indigo, barring any other sign in methods. We recommend that you do this because it enhances security π and streamlines your management capabilities of users and system log ins.
This setting is configured per IdP from its respective card in Administration > Main > Identity Providers.
Click the three-dot menu button in the card's top right corner, followed by Settings.
Click the Enforce Identity Provider toggle to turn it on. To turn it off, click it again.
After changing the setting, click Submit.
Once this setting is on, all users set up on that IdP's verified domain must use SSO to log in to Indigo. For example, if the enforced IdP has the domain BestDomain, all users with @BestDomain in their username must use SSO.
Any user that tries to log in to Indigo without SSO despite it being enforced will encounter the following error:
π Note: By default this setting is off for all configured IdPs. When switched on, it will only affect browser logins.
Related articles: