Single Sign-On (Microsoft Entra ID)
Overview
DigiUsher supports Single Sign-On (SSO) via Microsoft Entra ID using OpenID Connect. To enable it, you register an application in Entra ID and return three values to DigiUsher: the Application (client) ID, the Directory (tenant) ID, and a client secret.
SSO is optional. Customers who prefer not to use it can continue with native DigiUsher login.
Prerequisites
An account that can register applications in Microsoft Entra ID — and, if your tenant requires it, the ability to grant admin consent. See the Admin consent note below.
Manual Setup
Register a new application
- Go to Microsoft Entra ID → App registrations → New registration
- Configure:
- Name:
DigiUsher(or any name your team will recognize) - Supported account types: "Accounts in this organizational directory only"
- Redirect URI → Platform: Web
- Redirect URI → Value (templated):
- Name:
https://<your-digiusher-auth-domain>/realms/DigiUsher/broker/<your-broker-id>/endpoint- Click Register
DigiUsher provides your exact redirect URI
The redirect URI is specific to your account — it varies by region and instance, and regional deployments use a regional auth domain. DigiUsher provides your exact redirect URI during onboarding; use that value in place of the templated placeholder above.
Confirm the platform is Web (not SPA)
Azure sometimes defaults the redirect URI to a Single-page application platform. DigiUsher requires Web.
- Open the Authentication blade
- If it shows a Single-page application platform, remove it
- Add a platform → Web, and enter the redirect URI from Step 1
Add Microsoft Graph permissions
- Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions
- Add:
email,openid,profile,User.Read - If your tenant requires admin consent, click Grant admin consent for <your directory>
Create a client secret
- Go to Certificates & secrets → New client secret
- Copy the secret's Value immediately — it is shown only once
Copy the Value, not the Secret ID
The Value cannot be retrieved after you leave the page; if you lose it, create a new secret.
Send the details to DigiUsher
Provide the following three values to DigiUsher:
- Application (client) ID
- Directory (tenant) ID
- Client secret
Share the secret securely
Don't send the client secret over plain email. Instead, use a one-time secret service such as Onetimesecret to generate a self-destructing link, and share that link with DigiUsher.
What to Send DigiUsher
| Field | Where to Find |
|---|---|
| Application (client) ID | App registration → Overview |
| Directory (tenant) ID | App registration → Overview |
| Client Secret | The Value copied in Create a client secret |
Admin consent
Restricted tenants
In tenants where user consent is restricted (common in regulated environments), users may see a "Need admin approval" prompt on first sign-in. An Entra admin needs to grant admin consent once for the app — via Enterprise applications → DigiUsher → Permissions → Grant admin consent.
The app only requests sign-in and basic profile read (email, openid, profile, User.Read); it has no write access.
Need Help?
If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.
DigiUsher Documentation