Skip to content

Single Sign On

Jump to bottom
tijsziere edited this page Jan 28, 2025 · 27 revisions

This page contains information about letting users log in via Single Sign-On (SSO).

Usage

Required: Allow Pop-ups (when used inside Twilio Flex)

If a user is accessing the 121 platform via an iframe and pop-ups are blocked, the login-button will be disabled and an error-message will be displayed: "Please allow pop-up windows to login."

See the Twilio Flex Integration Wiki page for more details.

Resolution: Once the user allows pop-ups and refreshes the page, they will be able to log in successfully.

Implementation

At the moment, SSO has been implemented for use with Multi-Tenant Microsoft Entra ID.

To use SSO, you need to have a Client-ID from the Microsoft Entra ID App-Registration that was created for a specific 121 Platform instance.

Important: Admin User Setup

  1. User Creation: Administrators must first add the user to the Microsoft group. After that, they should create the user in the 121 Platform and assign the necessary roles/projects.

  2. Error Handling: If a user is not added to the Microsoft group, they will receive the error message: "User account does not exist in tenant and cannot access the application." The account must be added to the Microsoft group first. If a user who is not added to the 121 Platform attempts to log in, they will be automatically logged out from Azure and redirected to the login page with the error message: "Unknown user account or authentication failed."

Types of Authentication Supported

  1. User Account is Part of the Tenant: The user account is directly added to the tenant and can access the application through SSO.

  2. Non-Microsoft Account (e.g., G-Mail Account): For users who want to use a non-Microsoft account, create an Entra guest user.

  3. Microsoft Personal Account: Users can log in using their Microsoft personal accounts by following the appropriate configuration in the Microsoft group.

Deployment configuration

SSO is configured per instance using the ENV-variables of both the 121 Portal and the 121 Service:

121 Service Configuration

  • USE_SSO_AZURE_ENTRA: TRUE
  • AZURE_ENTRA_CLIENT_ID: <the specific Client-ID>

121 Portal Configuration

  • USE_SSO_AZURE_ENTRA: TRUE
  • AZURE_ENTRA_CLIENT_ID: <the specific Client-ID>
  • AZURE_ENTRA_TENANT_ID: <the specific Tenant-ID>
  • AZURE_ENTRA_URL: <authority Azure AD URL>

For the (old) Portal only, some additional configuration is necessary to set the correct `Content-Security-Policy' values, see: interfaces/READMEmd#content-security-policy-csp. (Portalicious has this built-into its build-script(s))

For more information of the software architecture, see:

Software Architecture

Clone this wiki locally