Skip to main content
All CollectionsForceManager AdminUsers
ForceManager Azure AD Single Sign-On (SSO) Setup Guide
ForceManager Azure AD Single Sign-On (SSO) Setup Guide

Guide on setting up Azure AD as SSO for ForceManager, using OAuth 2.0 and OpenID.

Training avatar
Written by Training
Updated over 10 months ago

Welcome to the comprehensive guide on configuring Azure AD to serve as the single sign-on (SSO) provider for ForceManager. This process leverages Azure as an OAuth 2.0 with OpenID server.

Step 1: Understanding Azure AD OAuth 2.0 and OpenID

Azure AD implements OAuth 2.0 and OpenID protocols, simplifying the secure authentication of users within your domain. For an in-depth understanding, refer to Azure's documentation on OAuth 2.0 and OpenID protocols.

Step 2: Configuring the ForceManager CRM Enterprise Application

The heart of the SSO flow lies within an enterprise application registered in Azure AD, identified by the Object ID: 4ad44451-9a99-44a1-adb7-f7a05ceef577.

This application, located under "Enterprise Applications," requests access to key security scopes (OpenId, Email, Profile, User.Read) essential for operation. Authorization can be granted by each user or by domain administrators for all or some domain users.

You can find further information with regard to the need of the security scopes and the need for them in this page https://learn.microsoft.com/en-us/azure/active-directory/develop/scopes-oidc#openid-connect-scopes

Step 3: User Email Validation

Validating the user's email is crucial, ensuring that the email used for SSO is owned by the user.

Step 4: Initial Application Access

Notably, the ForceManager CRM application will only be visible in the Enterprise applications list after a user first requests SSO access.

Should domain restrictions apply, a domain admin must initially authorize the application, accessible via this link.

Step 5: Azure AD Admin Configuration

Azure AD provides granular control over application access, allowing configuration for general access across all enterprise applications or on a per-application basis. This setup can be adjusted at Azure's user settings portal.

Granting Application Access:

General Access:

If the “Users can register applications” is set to “yes”, then an admin doesn’t need to do anything further for a given user to perform the SSO with ForceManager.

Administrator Approval:

If this is set to “No” then an administrator needs to approve the access on behalf of the users.

This access can be done in the following ways.

Grant access to all domain

An admin can log into ForceManager using the link https://be-pro.forcemanager.net/scim/ and authorize the whole domain during the authorization process.

Grant access on a per user basis or rule based

After accessing for the first time to the ForceManager CRM application, the application will appear under “Enterprise applications” under the Azure AD menu option.

Finalizing the Setup:

After searching for ForceManager CRM and selecting the app. The admin will have access to the following options:

Types of Configuration

The different ways to configure access to the application are:

Self-service configuration

Users and groups

Explicitly allow a set of users or groups

Conditional Access

Configure any kind of conditional access supported by Azure AD

Did this answer your question?