Enabling single sign-on with Microsoft Entra ID via OIDC

Roles and permissions

Only administrators can enable SSO for the organization

Note

Microsoft has renamed Azure AD to Microsoft Entra ID.

Hyperproof supports single sign-on (SSO) with Microsoft Entra ID via OpenID Connect (OIDC). Once SSO is enabled for your organization, Hyperproof users will be able to log in with their Microsoft Entra ID credentials using a custom URL that is specific to your organization.

If your organization is in Hyperproof US, an example of a custom URL is: https://luna.hyperproof.app
If your organization is in Hyperproof EU, an example of a custom URL is: https://luna.hyperproof.eu

The first step towards enabling SSO in your organization is to add Hyperproof to your Microsoft Entra tenant. You’ll need a subdomain provisioned by Hyperproof Support. To get your subdomain, create a support request asking for SSO setup.

Note

If the domain is a .com address, the subdomain is set as the domain without the .com suffix.

If the domain is not a .com address, the subdomain is set as the domain name without the period.

Examples

Domain name	Subdomain
http://acme.com	acme
http://lunabtechnologies.com	lunabtechnologies
http://techstartup.io	techstartupio
http://whitehouse.gov	whitehousegov

Note

If you have SSO enabled and you invite someone to your organization whose email address is not part of your SSO domain, such as external auditors or contractors, they can't log into Hyperproof via the custom URL provided for SSO. These users must log in using the default URL for your Hyperproof instance. Default Hyperproof URLs include:

Hyperproof US: https://hyperproof.app/
Hyperproof EU: https://hyperproof.eu/
Hyperproof Gov: http://hyperproofgov.app/

Log in to the Microsoft Entra ID portal as an Administrator.
Enter App registrations in the search bar at the top of the page.
Click + New registration.
Specify the following settings for the new application.
Name - Enter a display name for this application.
Supported account types - Select Accounts in this organizational directory only (Default Directory only - Single tenant).
Redirect URI - Select Web from the drop-down and enter the following:
For Hyperproof US the URI is:
```
https://signin.hyperproof.app/login/callback
```
For Hyperproof EU the URI is:
```
https://signin.hyperproof.eu/login/callback
```
Click Register.
Copy the Application (client) ID value and save it for later.
Click Endpoints.
Copy the OpenID Connect metadata document value and save it for later.
From the left menu, select Branding > properties.
In the Upload new logo field, upload the Hyperproof logo file. Click here to download the file
In the Home page URL field, enter your organization's Hyperproof URL, e.g. https://luna.hyperproof.app/signin for Hyperproof US, htttps://luna.hyperproof.eu/signin for Hyperproof EU.
Note
Steps 11 - 13 are required for the IdP-initiated sign-in to work.
In the Terms of service URL field, enter https://hyperproof.io/terms-of-use/.
In the Privacy statement URL field, enter https://hyperproof.io/privacy-policy/.
Click Save.
From the left menu, select Certificates and secrets.
Click + New client secret.
Enter a description for secret, e.g. Hyperproof secret.
From the Expires drop-down menu, select a value.
Click Add.
Copy the new secret's value and save it for later.
Note
Do not skip this step! You can only view the value once.
From the left menu, select Token configuration.
Click + Add Optional Claim.
Select the ID radio button, and then select the email, family_name, and given_name checkboxes.
Click Add.
You’ll be prompted to add permissions for Microsoft Graph. Select the checkbox, and then click Add.
Enter Enterprise applications in the search bar at the top of the page.
Select the app you just created.
From the left menu, select Properties.
Toggle on Visible to users?. Note that if this option isn't toggled on, users won't be able to see the Hyperproof tile in their SSO application menu.

Note

Make sure you have collected the following before proceeding to the next step:

Application (client) ID
OpenID Connect metadata document value
Client secret value

Once the Hyperproof application has been configured in Microsoft Entra, you’ll need to add the client ID, client secret, and metadata document URL to the SSO configuration of your Hyperproof organization.

Log in to Hyperproof as an Administrator.
From the left menu, select Settings and then select Authentication.
Note
The Authentication tab is not visible until SSO is turned on for your organization. If SSO has been turned on and you don’t see the tab, log out of Hyperproof and then log back in again. If the option is still not visible, please create a support request.
Toggle on Single Sign On (SSO).
The Authentication window opens.
From the Identity Provider drop-down menu, select Microsoft Entra ID via OIDC.
In the Client Secret field, paste the client secret value you copied in Step 20 above.
In the Metadata Document URL field, paste the metadata document URL you copied in Step 8 above.
Click Save.

You’ll be able to log in to Hyperproof using your Microsoft Entra credentials after SSO is fully configured for your Hyperproof organization.

At this point, you’ll have the option to make SSO required. If required, users without a company email address can still log in via Google, Office 365, or email/password. Refer to Requiring SSO for login for more information.

Using your previous credentials, e.g. Google, Office 365, or email/password, log in to Hyperproof.
From the left menu, select Settings and then select Authentication.
At the top of the screen you will see your organization’s SSO URL. This is the URL that your organization's Hyperproof users will use to log in to Hyperproof.
Copy the SSO URL to the clipboard.
Log out of Hyperproof by clicking your user icon in the upper-right corner, and then clicking Sign Out.
Paste the SSO URL into a new browser tab and then press Enter.
You’re redirected to Microsoft Entra ID where you can log in with your Microsoft Entra credentials. Once you’ve provided your Microsoft Entra credentials, you’ll be logged into Hyperproof automatically. If not, review the steps in the Step One: Creating an app registration in Microsoft Entra ID section above.
If you were able to log in to Hyperproof successfully using SSO, you are ready to share the SSO URL with the other Hyperproof users in your organization.

Expired client secret

Over time your client secret may expire, preventing users in your organization from logging into Hyperproof. If users can't log in due to an expired client secret, create a new secret in Azure and ask a Hyperproof organization administrator to update that secret in Hyperproof.

In this section:

Enabling single sign-on with Microsoft Entra ID via OIDC

Roles and permissions

Note

Note

Note

Note

Note

Note

Note

Expired client secret

Search results