SSO Integration with Azure
TUNE offers SSO as a paid add-on; reach out to your Customer Success Manager, Sales Representative, or our support team at support@tune.com to get started if it’s not already enabled on your account.
This article covers the TUNE side of the SSO setup. If you need any guidance on how to set up your integration in Azure, you can find the instructions here.
Getting started with Single Sign-on
Single Sign-On is available for employee users. The Single Sign-On feature is managed under Company - Customize Application - Settings.
Enabling Single Sign-On
Single Sign-On is enabled at the account level with additional control at the individual user level. Check the SSO Enabled checkbox on the Single Sign-On Settings page to enable SSO.
Connect TUNE with Azure
To connect TUNE with Azure to establish the communication for SSO, you must provide the credentials you created within Microsoft Azure (Client ID, Client Secret, etc.)
In the TUNE Dashboard, Go to Company and select Customize Application. In the Settings panel, click on Single Sign-On.
On the Single Sign-On page:
-
- Check the SSO Enabled Checkbox
- For Integration Type, Select the Generic OIDC SP Initiated SSO.
- Issuer URL: https://login.microsoftonline.com/{Directory (tenant) ID}/
- Client ID: enter the Application (client) ID copied from the Overview tab.
- Client Secret: The client's secret value was copied from Client Credentials in the previous step.
- For the SSO SignIn URL, enter https://login.microsoftonline.com
- Authorization URL: OAuth 2.0 authorization endpoint (v2) copied from Endpoints in the previous step
- Token Exchange URL: OAuth 2.0 token endpoint (v2) copied from Endpoints.
- Profile URL: Microsoft Graph API endpoint copied from Endpoints. For example: https://graph.microsoft.com/oidc/userinfo
- Scopes: Enter “openid profile email phone” (without quotes)
- Click Save.
Managing Single Sign-On for Individual Users
Once Single Sign-On is enabled for your account, all employee users will have SSO automatically enabled by default. SSO may be disabled for individual users as needed.
To disable SSO for an employee user, navigate to the Employee page and click the Edit button under the Settings section. Single Sign-On can then be set to Enabled or Disabled. Disabling SSO will force users to log in using their email and password, bypassing the SSO process.
Test your integration:
- Sign out of your administrator account in your Azure Entra and sign out of your TUNE application.
- In your browser, begin the sign-in process to the TUNE application through your application's sign-in button or directly by pasting one of the Sign-in redirect URIs into your web browser address bar. Regardless of your chosen method, your browser must end up at the Azure-hosted sign-in page.
- Sign in to your regular user account on the Azure-hosted sign-in page.
- Confirm that Azure successfully redirects back into your TUNE application.