OpenID Connect (OIDC) SSO Configuration with Simpplr

Overview

As part of our ongoing efforts to provide flexible and secure authentication options, we are excited to announce the integration of OpenID Connect (OIDC) Single Sign-On (SSO) alongside our existing SAML 2.0 SSO capabilities. This dual SSO support enhances the ability of our customers to seamlessly integrate with a wider range of Identity Providers (IdPs).

Now, our customers can choose between using SAML 2.0 or OIDC for authentication, depending on their specific requirements and the type of Identity provider they use.

SAML vs OIDC

Both SAML and OIDC provide the same core Single Sign-On (SSO) functionality, meaning they both allow you to log in once and then access multiple services or apps without needing to enter your credentials again. The difference lies only in how these two are set up and how the protocols work behind the scenes.

Check out this page to learn more about SAML SSO.

We provide multiple SSO support both SAML and OIDC.

Key highlights

Supported SSO providers

• Simpplr supports OIDC SSO integration with:

  • Okta

  • Microsoft Entra

  • OneLogin

  • Google

  • custom SSO

Workday doesn't support OIDC.

• With multiple SSOs, any combination of multiple SSOs and multiple instances of any SSO can be configured.

• There is a limit of 15 SSOs that can be added at a time.

Adding SSO

You must be the Microsoft Entra Admin and Simpplr Application manager to configure Microsoft Entra SSO

Keep Your tenant settings in Security → External IDP → Login Type as Use SSO and non-SSO login till you are able to successfully set up and test SSO else you may get logged out

SSO Configuration

Create App registration

1. Go to https://portal.azure.com/

2. Navigate to App Registrations. Then make sure you're in All applications. 

3. Click New Registration button on the top of the menu.

4. Name it anything you'd like, as long as you remember it. We recommend going with 'Simpplr Intranet' or something simple. Then click Register. This should take about 15-20 seconds to save.

5. Copy the Application (client) ID in Overview and keep it with you, this would need to be added in the Simpplr configuration.

6. Click Manage > Certificates & secrets > New client secret.

7. Add the name and duration of the secret and click on add.

8. Copy the secret value and keep it with you, it’s visible only once, this would need to be added in the Simpplr configuration.

Configure Your Intranet with Entra ID

1. Open a new tab in your browser and log in to your Simpplr tenant as the Application manager. 

2. Go to Manage > Application > Security > External IdP (SSO).

3. Click Add > Microsoft.

4. Select OIDC from Radio button.

5. Input each value with the applicable details:

   • Name: This is the display name for the SSO integration, visible on the page. Choose a clear and descriptive name that distinguishes it from other SSO options 

   • Sign in text: This text displays on the login page. You can provide any custom text

   • The Discovery document URL, Issuer, Authorize endpoint URL, Token endpoint URL, User info endpoint URL, Client authentication are automatically populated for Microsoft Entra, no changes are required here.

   • Consumer key: Add the Application (client) ID from Microsoft Entra in Consumer key.

   • Consumer secret: Add the client secret in consumer secret.

   • Scope: scope is auto populated in case of Microsoft Entra , leave it as is.

   • Enable SLO: Described in SLO section.

   • Select a login identifier: Select at least one login identifier that users will use to log into Simpplr application. Choose any of the available identifiers supported by Microsoft Entra ID.

   • Enable JIT provisioning: if you want new users to be provisioned via Microsoft Entra ID at the time of login . This is an optional step.

   • Enable JIT Syncing: if you want users to be Synced via Microsoft Entra ID at the time of login. This is an optional step.

Configure Entra ID SSO with Simpplr Information

1. Back in your Entra ID instance, from your newly created app, select Overview → Add a Redirect URI.

2. Click on Add a Platform, select Web.

3. Copy the Redirect URI from Integration details page and paste it under Redirect URI and click on Configure.

Your SSO is now ready for testing.

1. Open a new incognito tab

2. Go to Your Simpplr tenant home page

3. Click on login with SSO button

SLO Configuration

Overview

Single Logout (SLO) for OpenID Connect (OIDC) allows users to log out from all connected applications when they log out from the Identity Provider (IdP), ensuring a seamless and secure session termination. This guide provides step-by-step instructions for configuring OIDC-based SLO in Azure Active Directory (Azure AD).

Prerequisites

1. Azure AD Premium P1 or P2 subscription.

2. Admin access to Azure AD.

3. The application must be registered in Azure AD and support OIDC authentication.

4. Access to the Application (Client) ID and Tenant ID from Azure AD.

Steps

1. Sign in to the Azure Portal

   • Go to Azure Portal

   • Navigate to Azure Active Directory → App registrations

2. Select Your Application

   • Find and select the OIDC-based application you want to enable SLO for.

3. Navigate To Single Sign-on option in the selected Application and get the Discovery Endpoint for the Azure Application

4. Create / Edit an OIDC application based on Azure Idp and Enable the Azure Application SLO for OIDC application in simpplr

5. Fields

   1. Identity Provider Single Logout URL - This field should be populated via the Automatically if the discovery endpoint is already present or the Endpoint can be fetched via the discovery endpoint manually

      https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

   2. Custom Logout Url - If the logout process completes successfully, the system will redirect the user to the .

      • Example: Redirects to youtube.com.

Post-Configuration Behaviour of SLO

Once SLO is successfully configured for a supported vendor, the system will handle logout or authentication failure scenarios as follows:

1. Redirection on Successful Logout:

   • If the logout process completes successfully, the system will redirect the user to the configured success URL.

     • Example: Redirects to youtube.com.

2. There are several Cases for SLO to redirect after successful logout from simpplr

   1. If the Custom Logout URL is set then after successful Logout the idp would redirect user to the custom logout url

   2. If not and if the session timeout url is already set in the manage application → security → session settings. Here if the session settings is same as the domain for the simpplr tenant then

      

   3. Lastly if the neither custom logout url nor the session timeout url is set the then user would be redirected the /logout endpoint . eg

https://neha-testenv.test.simpplr.xyz/idplogout

JIT Provisioning

You can provision additional fields in Simpplr from Microsoft Entra by adding the mapping in Attributes and Claims in Enterprise Application → Single Sign On

1. Open a new tab in your browser and log in to your Simpplr tenant as the Application manager. 

2. Go to Manage > Application > Security > External IdP (SSO).

3. Select the SSO, click on the 3 dots and click on Edit.

4. Ensure provision New users via SSO is enabled.

5. In the previous menu. Select the SSO click on the 3 dots and click on Field Mapping.

6. Back in your Entra ID instance, Go to Enterprise Applications select your newly created app, select option, Single Sign On.

7. Go to Attribute and Claims, click on edit and Add new Claim, add the ields you want to provision in Simpplr according to the Field Mapping. You have to select the corresponding Entra ID field you want to populate Simpplr field from and click save.

JIT Syncing

Similar to JIT provisioning, while provisioning fills fields/ attributes at the time of user onboarding/ creation, syncing updates the user at the time of login if any updates are present in Microsoft Entra ID.

1. Open a new tab in your browser and log in to your Simpplr tenant as the Application manager. 

2. Go to Manage > Application > Security > External IdP (SSO).

3. Select the SSO, click on the 3 dots and click on Edit.

4. Ensure Sync existing users via SSO is enabled.

5. In the previous menu. Select the SSO click on the 3 dots and click on Field Mapping.

6. Back in your Entra ID instance, Go to Enterprise Applications select your newly created app, select option, Single Sign On.

7. Go to Attribute and Claims, click on edit and Add new Claim, add the fields you want to sync in Simpplr according to the Field Mapping. You have to select the corresponding Entra ID field you want to populate Simpplr field from and click save.