Single Sign On

Updated 4 months ago by admin

The USS dashboard can use Office 365 (Azure Active Directory) as a source for authenticating administrator users, meaning anyone with an approved Microsoft account can can single sign on in to the dashboard. This is particularly useful for deploying the End User Portal.

To enable, navigate to Products -> Single Sign On and click the Enable button on the Azure AD tile:

The Single Sign On option will be disabled if you are impersonating the account. You must logged in directly to the account in order to update the authentication method.
You will require an Azure AD user with administrator rights or sufficient permission to approve the consent to use the USS Auth app to read from the Azure AD directory

Assign new users the following role: select the role to apply to any new Azure AD users that sign-in. The role defaults to the least privileged; End User Portal. You can change this to be your preferred custom role however it is not possible to assign the Super User role at this stage. You can promote a user to a different role once they have signed-in for the first time using the Administrators section.

Disable new users by default: select this checkbox if you want to manually approve Azure AD users to access the portal. This will require unsuspending them using the Administrators section. This provides moderated access to the dashboard.

If an administrator user with the same UPN as an Azure AD user already exists, their role will be preserved but options such as Change Password and MFA will be disabled as these are now managed via Azure AD. The user is still able to log in with their original username and password, rather than single sign on, and if they do this they can manage their password and MFA as before. If the user is new when they signed in, they will only ever be able to sign in with Azure AD. Depending on your requirements, it may be better to delete existing administrator users and ask them to sign in with Azure AD only.

Click Next.

You must now sign-in with an administrator user from your Azure AD account and approve the consent. Click Grant Permissions to open the consent flow in a new browser tab.

Please review the permissions carefully. The permissions relate to sign in and permission to read user details from the Azure Active Directory. The permissions are read-only.

Click Accept. The Azure AD tenant will be approved for user authentication.

Close the tab to return to the Dashboard and view the Single Sign On status.

If you need to make changes to the assigned role you can Reconfigure at any time.

The setup is complete. Users can now sign in using the Sign in with Microsoft option on the dashboard login page:

Once authenticated via single sign on the admin user will be granted a token for access to the dashboard. This token is separate of Azure AD and will remain active for the token lifetime even if the Azure AD user is signed out or deactivated. Only when the token expires or the user signs out manually will the user be required to authenticate again.

Managing Single Sign-On Users

Once a user signs in using single sign on, their administrator account will have a Microsoft logo appended. This indicates the user is managed by Microsoft (Azure AD) for password and MFA.

Administrators cannot change passwords or manage MFA for single sign on users.

Administrators can change the role of a single sign on user by double clicking the role name. Administrators can also suspend and unsuspend users.

Disabling Single Sign-On

Navigate to Products -> Single Sign On and click Disable

Click Disable again to confirm.

  • Users that existed prior to Single Sign On being activated will be restored as non-Azure AD users
  • Users that were created since Single Sign On was activated will no longer be able to sign in

Troubleshooting

Permissions Denied - E00009

You will need to troubleshoot using a non-Azure AD user, such as the primary @clouduss.com administrator for your account.

  • Ensure that Single Sign On has been correctly activated on the account you are trying to sign in on by following the steps in this article
  • Ensure that the username you are signing in as has been created in the Administrators view and is not suspended
  • Ensure that the username you are signing in as does not belong to another account, for example, if you are performing an account migration

Need Admin Approval

This error means that your Azure AD administrator will need to grant consent for you to use the USS Auth application.

Log in to Azure AD as an administrator and navigate to Azure Active Directory -> Enterprise Apps -> select USS Auth -> Users & Groups and ensure the user that is trying to signed in has Default Access.

Permission Denied - E00010

The user is suspended in the Administrators section.


How did we do?