SSO Integration with Azure
TUNE offers SSO as a paid add-on; reach out to your Customer Success Manager, Sales Representative, or our support team at support@tune.com to get started if it’s not already enabled on your account.
This article covers the Azure side of the SSO setup. If you need any guidance on how to set up your integration in TUNE, you can find the instructions here.
Getting Started with Azure Single Sign-On
To get started, you need an active subscription to Azure AD (Active Directory). As your identity provider (IdP), Azure handles the sign-in process and authenticates your users for TUNE.
This instance provides client credentials or metadata to test your SSO flows. When you register your app, the identity platform automatically assigns it some values, while others you configure based on the application's type.
Creating an App:
- Sign in to your Microsoft Entra admin center as a user with administrative privileges (Cloud Application Administrator).
- Browse to Identity > Applications > App registrations.
- Select New Registration.
- Enter a display name for your application. Users of your application might see the display name when they use the app, for example, during sign-in. You can change the display name anytime, and multiple app registrations can share the same name. The app registration's automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
- Select Account in this organizational directory only for supported account types.
- To enter the Redirect URI, select the platform type to Web.
- Add your Redirect URIs as https://yournetwork.hasoffers.com/sso_login.
- Select Register to complete the initial app registration.
When registration finishes, the Microsoft Entra admin center displays the app registration's Overview pane. You see the Application (client) ID. Also called the client ID, this value uniquely identifies your application in the Microsoft identity platform.
Creating Client Credentials
- From the Overview pane, go to Add a certificate or secret.
- On the Credentials & Secrets page, go to the Create Secrets tab and click New Client Secret
- Provide a Description and choose Expiry Duration.
- Click Add to create credentials.
- After, creating the credentials will be listed in a table under the Client Secret tab.
- From the Client Secret tab copy the client credentials value just created.
Collecting Credentials
From the Overview tab copy the Application (client) ID and Directory (tenant) ID.
Next, you need the endpoints to connect the Azure Application to TUNE, head over to the Endpoints tab and copy the required endpoints.
-
- OAuth 2.0 authorization endpoint (v2)
- OAuth 2.0 token endpoint (v2)
- Microsoft Graph API endpoint
Adding a User to the Application
To make users use the Azure SSO you need to add them to the Application you created.
- To add the users to the application, go to Enterprise Application and choose the application you want to add the users to.
- Select the User and groups from the left menu bar.
- Click the Add User/Group.
- In the Add Assignment page, add the user or group you want to populate through the SSO.
Connect TUNE with Azure
To connect TUNE with Azure to establish the communication for SSO, you need to provide the credentials you created within Microsoft Azure (Client ID, Client Secret, etc.)
In the TUNE Dashboard, Go to Company and select Customize Application. In the Settings panel, click on Single Sign-On.
On the Single Sign-On page:
-
- Check the SSO Enabled Checkbox
- For Integration Type, Select the Generic OIDC SP Initiated SSO.
- Issuer URL: https://login.microsoftonline.com/{Directory (tenant) ID}/
- Client ID: enter the Application (client) ID copied from the Overview tab.
- Client Secret: The Client Secret value was copied from Client Credentials in the previous step.
- For the SSO SignIn URL, enter https://login.microsoftonline.com
- Authorization URL: OAuth 2.0 authorization endpoint (v2) copied from Endpoints in the previous step
- Token Exchange URL: OAuth 2.0 token endpoint (v2) copied from Endpoints.
- Profile URL: Microsoft Graph API endpoint copied from Endpoints. For example: https://graph.microsoft.com/oidc/userinfo
- Scopes: Enter “openid profile email phone” (without quotes)
- Click Save.
Test your integration:
- Sign out of your administrator account in your Azure Entra and sign out of your TUNE application.
- In your browser, begin the sign-in process to the TUNE application, through your application's sign-in button or directly by pasting one of the Sign-in redirect URIs into your web browser address bar. Regardless of which method you choose, your browser must end up at the Azure-hosted sign-in page.
- Sign in to your regular user account on the Azure-hosted sign-in page.
- Confirm that Azure successfully redirects back into your TUNE application.