Setting up Microsoft SSO at a Tenant Level

This guide details how to set up Microsoft SSO integration in Wristband.

📘

Microsoft Entra ID Support

Wristband supports the following security protocol for Microsoft SSO:

  • OIDC

Each tenant can have unique Microsoft SSO identity providers. Configuration is done at the Tenant Level in the Wristband dashboard, with activation on a per-tenant basis.

Setting Up a Tenant-level Google SSO Integration

This guide details how to set up Google SSO integration in Wristband.

1. Locate Your External IDP Callback URL

  • In the Wristband dashboard, enter Tenant View for the tenant.
  • Navigate to Identity Providers > Enterprise.
  • Select the Microsoft provider icon and click "Create IDP."

Copy the "Redirect URL" from the form.

External IDP Callback URL

2. Sign Up For An Account

Create a Microsoft account here. Fill out the form and proceed to the Microsoft Azure dashboard.

3. Copy Your Tenant Identifier

In the Azure dashboard, search for the Microsoft Entra ID service.

🚧

Select the Appropriate Tenant

Ensure you switch to the appropriate tenant if needed.

Search for Microsoft Entra ID

Copy the "Tenant ID" from the Entra ID Overview page.

Tenant ID

4. Register a New Application

Click on "App registrations" in the side navigation. Then, click "New registration."

App Registrations

Fill out the following fields:

  • Name: Any appropriate value.
  • Supported account types: Select Accounts in this organizational directory only (Default Directory only - Single tenant).
  • Redirect URI: Select the Web platform option and paste the External IDP Callback URL from step 1.

Create App Registration

Click "Register" to complete registration. You will be directed to the app registration's Overview page.

5. Get the Client Information

Copy the "Application (client) ID" (Client ID) from the app registration's Overview page.

Client ID

Click on "Certificates and secrets" in the side navigation. Click "New Client Secret" to create a client secret.

Certificates and Secrets

Provide values for the form, selecting a larger "Expires" value if preferred.

Add Client Secret

Copy the "Value" of the newly created client secret immediately.

6. Configure the Groups Claim (Optional)

To use Microsoft's Groups with Wristband's Role Mapping, configure your Microsoft application to include a "Groups" claim in the ID token.

Click on "Token configurations" in the side navigation. Then, click "Add groups claim."

Token Configurations

In the Edit group claims section, provide the following:

  • Select Security Groups for "Select group types to include in Access, ID, and SAML tokens".
  • Select Group ID under the "ID" accordion dropdown in "Customize token properties by type".

Edit Group Claims

Click "Save" to complete the configurations.

7. Create a Microsoft IDP in Wristband

Return to the Create External IDP Modal in the Wristband dashboard. Fill out the form with the following values:

  • IDP Name: Any value desired (must be unique within the tenant).
  • Display Name: Any value desired, Microsoft is a safe default.
  • Microsoft Tenant Id: The Tenant ID from step 3.
  • Client ID: The Client ID from step 5.
  • Client Secret: The Client Secret from step 5.

Click "Create" to finish. The Microsoft External IDP will be in an ENABLED status.

Create IDP

8. Enable Tenant Overrides for IDP

Enable identity provider overrides for the tenant in the Wristband dashboard:

  • Navigate to Tenant Settings.
  • Scroll to Override Configurations.
  • Enable "Identity Providers" overrides.

🚧

Overriding Identity Providers

This will override ALL identity providers from the Application Level for the tenant.

The Microsoft Enterprise SSO integration is now complete. Users will see a Microsoft login button on the Tenant-level Login Page.

Microsoft Login Button