Single Sign-On with OpenID Connect
Platforms
Location
Setup
SSO Activation Flow
Client Secret Expiration Reminder
Configuring SSO with Microsoft Entra ID (Azure)
Disabling SSO
Q & A
Please Note: Currently, the Second Screen App is not compatible with Single Sign-On, while the Mobile App is compatible with Single Sign-On.
Platforms
We are implementing the Open Identification Connect (OIDC) standard, which is one of two Single Sign-On (SSO) standards commonly used in the industry.
We have tested and vetted 3 popular idP (Identity Provider) services:
- Okta
- Google Auth
- Entra (Microsoft)
Please note that the OIDC standard is widely adopted and used by many Identity Providers and our SSO implementation will work with more idP’s than what is listed above.
Location
To access Single Sign On, head to the Admin Tab > Login Settings
This setting is account-wide. When activated, SSO will be enforced across all active User accounts on the subdomain.
Important Note: User Email Addresses are used to match with the idP. This means that for someone to authenticate correctly, their Email in RepairShopr must match on their idP side.
Important Note: RepairShopr MFA will remain active with SSO enabled. This means that Users will be prompted for an MFA code when starting a new session (or based on session re-auth) to access RepairShopr.
Setup
The User supplies three pieces of data:
- Client ID
- Client Secret
- Discovery Document
We generate two URLs that need to be copied and added to the idP (Okta, Google, MS).
SSO Activation Flow
The Enable Toggle will be “disabled” until the Client ID, Secret, and Document have been Saved & Verified.
Entering the Client ID, Secret and Discovery document into their fields will change the Save button in the lower right to a “Save & Verify SSO Connection” button.
Once “Save & Verify SSO” is pressed and the ID, Secret, and Discovery are verified, the “Enable SSO” option will become active.
You can now toggle ON the SSO feature when you are ready, then hit the Save button on the page one more time.
Once SSO is activated, all accounts will be authenticated through your idP. The login page will look a little different now with a Sign in button. The RepairShopr login is shown in the example
Remember that this is account wide, and takes immediate effect.
If at any time the SSO settings are updated, we will send an email out notifying Users that the SSO settings have been updated as a Security measure.
SSO Client Secret Expiration Reminder
We have added an optional field called Client Secret Expiration Date to the SSO configuration page. This is useful in case your OIDC provider expires your client secret after a set amount of time.
Choosing a date here will prompt RepairShopr to email you at 6 AM PT
30, 14, and 7 days before the date of expiration (3 emails total),
reminding you that your client secret is expiring soon and it should be
refreshed.
Configuring SSO with Microsoft Entra ID (Azure)
Launch your Azure Instance and locate Entra ID (a Pyramid logo).
Next in the Left Nav look in the Manage section, locate “App Registrations” and click in.
Next click “New Registration”
Next, give the App a friendly name to identify it by. Often people call it “ RepairShopr” but it can be whatever you’d prefer.
Next, in the Redirect URI section, choose “Web” in the Platform drop down, and you will want to copy the Redirect URI from the SSO config page within RepairShopr and paste it into this page. Then hit Save.
Redirect URI field in RepairShopr
Congrats, you have the App created in Entra! Next, you will be brought the App’s Detail page where several strings are shown. You will want to copy the “Application (client) ID” in Entra and paste it into the RepairShopr SSO “Client ID” field.
RepairShopr Client ID Field
Now, a Secret needs to be generated. In the Entra left nav, click “Certificates & secrets” and then “New client secret”.
A side panel will pop out where you can give the Secret a friendly name that can be used to manage it as needed. We have seen people name it “RepairShopr”, but it can be any name of your choosing. In the same pop out, you can also choose a expiration for the secret key.
A set of Secret keys will be generated. Take the “Value” string and copy that into the RepairShopr SSO “Client Secret” field.
- Note: If you copy the “Secret ID” field here and paste that into RepairShopr , you will get an authorization error.
Client Secret Field in RepairShopr
One last step to go!
Next we need to get the OpenID Connect Discovery URL. In the Entra left nav, click the Overview option in the upper left. Then, click the Endpoints option in the upper nav.
A slide-out will appear and display a group of fields. You are looking for:
“OpenID Connect metadata document”
Copy the entire URL string, then head over to RepairShopr and paste it into the “OpenID Connect Discovery (Discovery Document)” field.
- Don’t worry about cleaning up the URL. We will parse out the URL string for you.
You should be all set to hit the Save & Verify SSO button in RepairShopr . Everything should check out, and you can toggle the SSO feature on and hit Save.
Disabling SSO
When a User wants to disable SSO, they can do so by heading to the Login Settings and clicking the toggle for SSO.
When SSO is disabled, we will reset the passwords of all User accounts and end existing sessions. We will send a Password reset email to all active User accounts to reset their passwords.
If, for some reason, the User does not get the email when they attempt to login the next time without resetting their password, they will be presented with a screen to complete the password reset.
Q & A
Azure SSO Config Doc: OpenID Connect (OIDC) on the Microsoft identity platform
Error: “SSO configuration contains errors. Please check and verify again.”
This error refers to the Client Secret
not being
correct. This can happen when copy/paste includes junk data from the
clipboard. We recommend going back to the idP and trying to copy/paste
once again.
Error: “OpenID Connect Discovery: is invalid”
This means that the URL for the OpenID Connect Discovery field is not correct.
Error: “Access Blocked: This app’s request is invalid”
This error typically means the callback URL that is supposed to be placed in the idP settings is missing or incorrect. We recommend copying the Redirect URL from the SSO Settings page in RepairShopr and replacing it in the idP Settings.