Wait... what's Indigo SSO?
Single Sign-On (SSO) is a fantastic remedy for login fatigue, and it's available to Indigo users!
By using just one set of credentials across multiple software systems, SSO not only saves time but also enhances security and simplifies software adoption.
My Microsoft Entra ID is already set up.
Great! You're ready to start configuring Indigo SSO directly from the Indigo Platform. For assistance with this procedure, you should check out our step-by-step guide.
As you progress through the steps in the guide, you will need to provide some data, which is described in this article. For your reference, it's a good idea to keep this article open and handy as well.
Since Indigo SSO is configured from the Indigo Platform, why don't you hop on over there, log in and...
Why configure your Microsoft Entra ID ahead of Indigo SSO setup?
Before you jump into setting up SSO through Indigo, it's essential to ensure your Microsoft Entra ID tenant (which used to be known as the Azure Active Directory) is ready to roll. If you're just beginning the configuration of your Identity Provider (IdP) on Azure, this article will be a great companion.
Read on to learn how to set up the environment and gather important data necessary for the eventual setup of Indigo SSO.
Why is this step so crucial?
We'll need some key information from your end to establish your IdP on our system.
You also need to set up a few permissions on Microsoft Azure so that Indigo can seamlessly link your employees' Entra ID users to their Indigo users.
Finding the required data (App Registration)
Part of the Indigo SSO setup requires you to provide the data shown below, so as to establish your Identity Provider (IdP) in Indigo.
For your reference, you'll need this specific data in Step 3 of the first part of the procedure Setting up the Identity Provider. If you haven't configured your Microsoft Entra ID environment yet, getting this data might take some effort.
Keep reading for a detailed description of what data you'll need, how to generate it and where to find it for this step.
Tenant ID and Name
These are identifiers for your Microsoft Entra ID tenant. You can find these in the tenant properties within your Azure subscription.
Client ID and Client Secret
You can locate these within the Entra ID Portal from the App Registrations section, once you register an app for this process.
To configure App Registration:
After logging in to Microsoft Azure, navigate to Microsoft Entra ID (formerly Azure Active Directory).
Select App Registrations.
Select New registration.
Enter the desired name for the application, for example 'Indigo Suite.'
Select the 'Accounts in this organizational directory only (Tenant Name only - Single tenant)' option.
Click the Register button.
Take note of the Application (client) ID and the Directory (tenant) ID since these will be required in the next steps.
In the newly registered app (named 'Indigo Suite' in step 4), navigate to Certificates & secrets.
Click New client secret, provide a description (such as 'Indigo Suite') and set an expiry for the secret (minimum recommendation is 12 months).
Click Add.
Warning: It's crucial to take note of both the Value and Secret ID because once you close this blade, they will no longer be visible. Once a secret is created, the details are shown on creation only!
Updating Expired Client Secrets
Updating Expired Client Secrets
As a security measure, client secrets are set to expire after a duration determined by you.
Once the secret you are using for your configured IdP in Indigo expires, it is crucial to generate a new client secret following the procedure above, starting from step 8. Afterwards, you will need to update the client secret in the IdP in Indigo as well, otherwise, your users won't be able to log in to Indigo via SSO.
To do this:
Locate the corresponding IdP's card in Indigo under Administration > Main > Identity Providers.
Click the Kebab Menu in the top right of the required IdP's card, followed by Edit.
Depending on the verification status of the IdP's domain, one of two things will happen next.
If verified, the following modal will open, giving you the option to only edit the client secret. Insert the new client secret in the space provided and press Submit.
If pending verification, a modal more similar to the original setup wizard will open, giving you the option to edit several other data values. Update the client secret, beside other potentially required modifications to the data, and click Validate.
Note: This will simultaneously update any data you have changed and restart the domain verification process.
In either scenario, make sure the new client secret you insert is precise and of the correct length; otherwise, an error will occur, preventing you from proceeding.
π‘ Tip: With Microsoft Entra ID, you can juggle multiple client secrets simultaneously, so there's no need to wait for one to expire before creating another. To guarantee your users' ongoing access to Indigo through SSO, take advantage of this fact and be proactive, π§ updating your client secrets ahead of their expiration.
Permissions Setup
Indigo requires permission to access the security group in your tenant that contains the employee users you wish to grant SSO access. With this permission, Indigo will read the employee information from this group and integrate it with their Indigo users. If this security group is not yet set up, you will create it in the next section within your Entra ID tenant.
The image below illustrates the necessary permissions that need to be granted from your end.
To set up the permissions as shown:
Access the API permissions section within the Indigo Suite app (which should have been registered using the process above).
Click on the Add a permission button.
Select Microsoft Graph.
Select Application permissions.
Here we need to add two application-type permission sets: GroupMember.Read.All and User.Read.All.
β’ Type in GroupMember and select the GroupMember.Read.All checkbox.
β’ Type in User.Read and select the User.Read.All checkbox.
Click the Add permissions button.
Click on the Grant admin consent for Tenant Name and confirm by clicking Yes.
β
π Security Tip: Please be advised that the permissions set up in this step pose no security risk.
They are designed exclusively for the Indigo SSO integration, allowing Indigo to read information without edit capabilities.
This access is limited to the specified security group, which remains under your management and moderation.
User Group Setup
To let Indigo use the granted permissions and access your employees' IdP user profiles for mapping, it's essential to establish a security group with your choice of name and include the relevant user profiles within it. Note: This name must eventually match with the Group Name you specify when configuring your IdP in Indigo (step 1, no 3).
I'm done! What now?
Great work! By completing these three steps, your Microsoft Entra ID environment is now fully set up to facilitate the configuration of Indigo SSO from the platform itself.
For further guidance, refer to our detailed tutorial.
As you progress through the steps in the guide, you will need to provide some data, which is described in this article. For your reference, it's a good idea to keep this article open and handy as well.
Ready to configure Indigo SSO? Simply log in to the Indigo and proceed from there!
Related articles: