search

Setup standard Single Sign On with MS Entra ID

This page describes how to enable standard SSO without implementation and attention points regarding user management.

hashtag
Enable standard SSO with MS Entra ID

In the environment, in the Ultimo Configuration Tool, go to the AET on "application" level. Search for "Microsoft." Enable "Allow Microsoft Authentication."

Example of enabled setting

When enabled, on the login page a new button will appear to login with Microsoft.

circle-info

Only active user accounts that receive an activation link can actually login using this new button

hashtag
Reset/invite users

All existing users log in with a different method. Either 'forms' or 'custom SSO'. To let them login with this new method you can reset the login method in the user manager. This can be done per user or via multiple select in a batch. Use optional filtering to determine the correct selection.

circle-info

Important to have the employees' e-mail address filled in at the employee record. Make sure it is only 1 (valid) e-mail address per record.

All activated users will receive an activation link. It is possible to reset inactive users but they wont receive an activation link.

Example of the user manager with the reset button pressed
Example of the activation email

If the link has expired, you can send a new invite by clicking the envelope icon in the user manager.

hashtag
Activation link

The user shares the account information with the Ultimo app when using the activation link, as shown in the dialog below. Our app is verified by Microsoft and is a trusted app.

Premission requested by IFS Ultimo app
circle-info

In some organisations, the app needs to be approved by the IT department. Based on the settings in Entra Id, a user can request permission from IT via a dialog when they use the app or contact their IT department manually.

Once the user links his organisation account with Ultimo, the activation step is finished, and from now on, the user can log in using the login button on the login page.

circle-info

Authentication is done at your organisation's identity provider. When enabled, multi-factor authentication is applied.

hashtag
Provisioning

Our standard SSO method is only applicable when using MS Entra ID. It is pure authentication. Although it is possible to maintain users manually, we advise SCIM to have user provisioning in place.

PreviousLDAPNextMicrosoft Entra ID Authentication

Last updated