Enterprise SSO (Microsoft Entra ID)

This page describes how you can setup an Enterprise SSO. We also have methods that require no work to get started: an overview of available methods (and their pros and cons) can be found here.

A direct coupling from your Identity Provider (Microsoft Entra ID) does require some work from your IT department. They should setup a custom OIDC application that couples to our Viya Ory instance. We use the email domain to block other ways of accessing our Viya application. You can find the docs here. Make sure to also setup a client secret.

In order to configure your tenant we need:

  1. Email hostnames for users of your organisation. For most companies this will be a single domain, e.g. @yourcompany.com.
  2. Application (client) ID
  3. Directory (tenant) ID
  4. Client secret

Points of attention:

  1. We will provide you with a redirect url, please do allow it. The url will look like this: https://auth.viya.me/self-service/methods/oidc/callback/microsoft-{some-unique-id}.
  2. We advise to limit logins to people in your Entra ID. If you do have a need to allow external logins: make sure to give us the expected email hostnames, we can only redirect users to your identity provider when they are on the list with email hostnames.
  3. Please do make sure to setup a company process (e.g. a recurring agenda appointment) on your side to rotate the client secret: we do advise you to rotate at least once a year. We cannot monitor expiration of your secrets. Please do this now: secret expiration will result in loosing ability to login into your Viya tenant.

At this moment you cannot (yet) configure the Enterprise SSO at Viya yourself: we always setup a short 20 minute call with your IT department to configure and test this integration. Please do fully setup the Azure tenant at your side before we start this call.