In this article, we will show you how to log in to Tacto via Single Sign-On with Microsoft Entra ID using the OpenID Connect protocol.
What is Single Sign-On (SSO)?
Single sign-on (SSO) allows users to log in to multiple services with the same login information, e.g. user name and password. To do this, the user is first redirected to the stored identity provider (IdP), e.g. Microsoft Entra ID, when logging into an application (e.g. Tacto). The user's login information is checked there. After successful authentication, the identity provider redirects the user back to the original application.
What is OpenID Connect?
OpenID Connect (OIDC) is a protocol based on OAuth 2.0, an authorization framework. OIDC enables applications (so-called clients) to verify a user's identity and obtain basic profile information. OIDC uses JSON Web Tokens (JWTs) to securely transmit the user's identity and access tokens.
What can customers expect?
Any user listed in the Microsoft Entra ID app will be able to access Tacto. Likewise, all user management will be done on your end. If a user is not listed, they will not be able to log in to Tacto. In Tacto, under "Settings > User management", the users who have ever logged in will still be listed, but no users can be added or removed.
Setting up OpenID Connect with Entra ID
Prerequisites:
Permissions to be able to register apps in Microsoft Entra ID
OpenID Connect (OIDC) and Microsoft Entra ID work together to provide a secure and efficient authentication solution. Microsoft Entra ID, as an identity and access management service, supports the OpenID Connect protocol to enable users to authenticate and access connected applications.
Create a client application (Microsoft documentation):
Log in to the Azure Entra ID management console.
Navigate to "App registrations".
Create a new client application to represent Tacto in your IdP.
Configure the application settings:
Name the application, for example "Tacto", for easy identification.
Set the application type to "Single-page Application".
โ
Add the redirect URI:
In the application settings, locate the section for the redirect URI.
Add https://auth.tacto.ai/login/callback. This is where Entra ID will redirect the user after successful authentication.
Activation of ID tokens:
Navigate to "Authentication" and select "ID Token" in the "Implicit Authorization and Hybrid Flows" section.
Configuration of the read authorizations:
Go to "API permissions" and click on "Add permission".
In the dialog, select "Microsoft Graph" and "Delegated permission".
Select "email", "profile" and "User.Read". You will find the last authorization further down in the list.
Click on "Add permissions"
Adding ID token claims:
Go to 'Token configuration' and click on 'Add optional claims'.
Select "ID", then "email", "given_name", "family_name" and click on 'Add'.
Send the application ID (client ID) and directory ID (tenant ID):
After setting up the application, you will find an Application ID under "App registrations" > "Name of your application" > "Overview", which is required for configuring the connection with Tacto.
There you will also find the Directory ID, which is also required for configuring the connection with Tacto.
Please send us both the Application and Directory IDs.
Check whether users have a valid e-mail address:
Make sure that all users have an e-mail address stored in Entra ID so that the application can identify them. This can be found on the "Properties" tab in the user details.
Adding users
Navigate to "Enterprise applications" in Entra ID
Open the application you have just created
Under "Users and groups" you can now define which people should have access to Tacto.