Sign in

nShift Help Center

Single Sign-On (SSO)

Avatar
Malene Tidemann
Updated

Single sign-on (SSO) is an authentication method that allows users to log in with a single ID to multiple related but independent software systems. We support the following identity providers (IDP):

    • OpenId
    • Ping
    • Okta
    • nShiftMarketplace
    • EntraId (former Azure Active Directory). For EntraId, we have an app in Entra Gallery.

      Click here to download the app

      Please note that when adding the nShift app, you need to add permissions in your tenant for the enterprise app to your users/groups. Please see the Entra Marketplace guide.

      Add Users to Enterprise App

Important: If you choose to use OpenId, EntraId or Okta, make sure the Redirect URI follows this format:

https://account.nshiftportal.com/idp/federation/sample-name/signin

The sample-name should also be the Scheme name from the form.

 

  • SSO can be activated by a Portal Owner account and applies to all users under this Owner. New users will inherit SSO from the Owner. 

  • It is not possible to have some users with SSO and some without. If SSO has been activated, all users must use it. 

  • All user names must be identical to active users in the customer's Identity provider (IDP).

  • When SSO is activated, no password is used when logging into nShift Portal. The username is entered and when the user selects Sign in, they are forwarded to the customer's identity server for login.

 

 

How to activate SSO

  1. Log into nShift Portal and use the application selector in the top right corner to go to Home.

  2. Go to Settings > Single Sign-On (SSO)

  3. Select a provider from the drop-down list.



  4. Fill in the additional fields that appear, depending on the selected provider. It varies from provider to provider what information must be filled in. Important note: If your provider uses a Scheme name this cannot be changed so you must pick a relevant name the first time you configure SSO. 

    Example:


  5. Click Save

*Important information about Microsoft Entra (Azure AD):

The Entra User (original user) must have admin rights in Azure to add applications from Entra Gallery.  If the original user is deleted after the integration, then another user will be required from the Customer’s Entra that will become the owner and will be attached to the installation. Both the original user and the owner user will need manual SSO configuration. After the owner is set up all other users added under this owner, through the UI, will be set up as SSO.

As a recommended process, we will need two users from the Customer’s Entra. One will be the owner and another one who can do the Entra Gallery integration (original user). We can set up the owner with username (Entra Username) and password, then add the original user under this owner as SSO (manual setup). After the integration is complete in the customer’s Entra, we can change the owner to SSO (manual setup) and then add all other users (automatically set as SSO).

 

Resources

Guide by Microsoft: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal 

Related articles