Microsoft Office 365 (OAuth2.0 SSO)

Learn more about the functions and configuration of Microsoft SSO.

Prerequisite
You must be a company admin at Flexopus.

Note
With the Microsoft OAuth SSO, you basically allow login for all users in the world who have a Microsoft O365 account.

Important!
With the additional setting option "List of allowed domains for SSO", you can restrict the login to certain email domains.
For example, add flexopus.com to only allow ...@flexopus.com email adresses. Email adresses and name are the only transmitted user details.

Please check in advance whether you want to use this simple configuration variant. We generally recommend connection to a Microsoft Active Directory via SAML2: https://help.flexopus.com/en/integration-microsoft-active-directory

How does Microsoft SSO work?

We have a globally registered OAuth2 app with Microsoft. This means that we have our own App-ID and App-Key (Secret). These are used to authenticate Flexopus with Microsoft. When logging in with Flexopus for the first time, a company admin has to unlock this app for the company. This then allows users of the company to log in. However after a user has been successfully authenticated, Flexopus only receives the standard data, such as name and email, as is the case with other SSO providers.

How do you activate SSO?

During the setup process, we activate the interface for MS365 SSO for your cloud tenant and restrict the login option to email addresses with the domain @company.com. Afterwards, your employees should be able to authenticate themselves directly with their MS365 access data. When they log in for the first time, Flexopus automatically creates a new user with name and email address in the backend. You can then subsequently assign special rights (e.g. Location Manager, Admin) or assign user groups to the user. An authentication check is carried out for each subsequent login.

Tip: You can test the login process via SSO in advance in our demo tenant. To do so, open the URL demo.flexopus.com and click on the Microsoft button. Log in with your personal MS365 credentials afterwards. It this works, all settings on your side are already suitable.

Step-by-step guide

Step 1: Activate Microsoft SSO

Prerequisite: You must be a Flexopus administrator.

  1. As an admin, you can activate "Microsoft SSO (OAuth 2.0)" in the Flexopus admin area under Settings > Single Sign On / Integrations.
  2. With the additional option "Use UPN as email" you can decide how the user attributes should be linked:
  3. Set the permitted domains in "List of allowed domains for SSO". Email addresses from domains that have not been entered are automatically rejected by Flexopus.
  4. (Optional) In "Require existing user profile to log in through SSO", you can specify that users can only log in with an existing account. After activation, application access is restricted to existing user accounts. New users must be added manually.
  5. Save your changes.
    Eingefu-gtes_Bild_10_05_22__14_16-png
    Activation Microsoft SSO (OAuth2.0)

Step 2: Login via Microsoft

  1. Click on the Microsoft button in the Flexopus login area.
  2. To log in successfully, enter your Microsoft credentials in the login form that opens.
  3. Accept the requested permissions from Flexopus.

Eingefu-gtes_Bild_10_05_22__14_20-png
Microsoft button in the Flexopus login area

 

Microsoft-SSO-png
Requested permissions

R0014