Invitations and Single Sign-On

In an organization where SSO has been configured, invitations sent to domain users behave differently based on whether the organization has SSO Required set or not.

SSO Required is not set

When SSO is not required, the invitation that a domain user receives contains a link that always directs them to the standard Hyperproof sign-in page, i.e. there is no redirect to the configured identity provider. The user may log in with any of the options presented there (e.g. Google or Office 365) and as long as the email address they use to log in matches the email address in the invitation, they will be able to accept the invitation and join the organization.

Subsequently, the user may choose to log out of Hyperproof and log in using the SSO URL (e.g. https://contoso.hyperproof.app), or log in directly from the identity provider’s portal, if the identity provider offers that option. As long as the email address associated with the user in the identity provider is the same as the email address that was used when they accepted the invitation, they will be allowed to log in to Hyperproof and will be properly recognized as the same user.

SSO Required is set

When SSO is required, the invitation sent to a domain user contains a link that takes them to Hyperproof as expected. Hyperproof will then recognize that they are required to log in via SSO (because their email address matches the SSO domain) and they will be redirected to the configured identity provider so that they can log in via SSO. Once they have logged in via SSO, they will be able to accept the invitation as long as the email address associated with the user in the identity provider matches the email address in the invitation.

Invitations to other users

Invitations sent to users who do not have an email address matching the assigned SSO domain always direct the user to the standard Hyperproof sign-in page.

For organizations that leverage Microsoft Entra ID, Hyperproof supports SSO using the OpenID Connect (OIDC) protocol.

Once via Microsoft Entra ID OIDC is configured in the Hyperproof organization, domain users will be able to sign in using SSO. And, as with other identity providers, the invitation behaviors described in the above section apply. In an organization configured for SSO with Microsoft Entra ID, if SSO Required is not set, invited users are taken to the standard Hyperproof sign in page where they can choose a sign in option. Given that Microsoft Entra ID is the identity provider, many users might choose Hyperproof's built-in Office365 option since signing in with Office365 uses the same identity information.

It’s worth noting that signing in with Office365 may look and feel like signing in with SSO using Microsoft Entra ID via OIDC, but the two sign-in mechanisms are distinct. Because they are distinct, i.e. they are different apps in Microsoft Entra ID, a Directory user might be enabled for one option but not the other.

For example, you might have configured SSO with Microsoft Entra ID and made it possible for some or all of your Directory users to leverage that integration to log in to Hyperproof. However, if you don’t have SSO Required set, and if you have not granted these users the ability to consent to applications that access corporate data (see below), they may not be able to log in via the Office365 option since it requires consent. If the user is not able to log in, they will be unable to accept the invitation and join the Hyperproof organization.

Similarly, the Microsoft Entra ID users in an organization may be granted the ability to consent to applications that access corporate data, but they may not be a member of the Hyperproof Enterprise Application which is used during SSO. In this case, the user would be able to accept the invitation (because they were able to log in using the Office365 option) but they will not be able to log in via SSO.

Controlling user consent (signing in with Office365)

The user content settings in Microsoft Entra ID can be found in the Microsoft Entra ID portal under Enterprise Applications > Consent > Applications.

These options control whether or not users can connect to apps like Hyperproof that request access to your organization’s data. For more information on user and admin consent in Microsoft Entra ID, refer to this Microsoft article.

Controlling SSO access (signing in using Microsoft Entra ID SSO)

To control which of your Microsoft Entra ID users have permission to log into Hyperproof using SSO, you can use the Enterprise Application settings for the Hyperproof SSO application in Microsoft Entra ID.

In the Microsoft Entra ID portal, navigate to Enterprise Applications and then find the Hyperproof application that corresponds with the app registration you created when you configured SSO. See Enabling Single Sign On with Microsoft Entra ID via OIDC. On the Properties tab of this application, there is an Assignment required option that controls whether or not users have to be explicitly added to the application to be able to use it.

If you set Assignment required to Yes, you can use the Users and Groups tab on the same page to add users to the application.