Single Sign-On

Single Sign-On (Microsoft Entra ID)

Overview

DigiUsher supports Single Sign-On (SSO) via Microsoft Entra ID using OpenID Connect. To enable it, you register an application in Entra ID and return three values to DigiUsher: the Application (client) ID, the Directory (tenant) ID, and a client secret.

SSO is optional. Customers who prefer not to use it can continue with native DigiUsher login.


Prerequisites

An account that can register applications in Microsoft Entra ID — and, if your tenant requires it, the ability to grant admin consent. See the Admin consent note below.


Manual Setup

Register a new application

  1. Go to Microsoft Entra ID → App registrations → New registration
  2. Configure:
    • Name: DigiUsher (or any name your team will recognize)
    • Supported account types: "Accounts in this organizational directory only"
    • Redirect URI → Platform: Web
    • Redirect URI → Value (templated):
https://<your-digiusher-auth-domain>/realms/DigiUsher/broker/<your-broker-id>/endpoint
  1. Click Register

DigiUsher provides your exact redirect URI

The redirect URI is specific to your account — it varies by region and instance, and regional deployments use a regional auth domain. DigiUsher provides your exact redirect URI during onboarding; use that value in place of the templated placeholder above.

Confirm the platform is Web (not SPA)

Azure sometimes defaults the redirect URI to a Single-page application platform. DigiUsher requires Web.

  1. Open the Authentication blade
  2. If it shows a Single-page application platform, remove it
  3. Add a platform → Web, and enter the redirect URI from Step 1

Add Microsoft Graph permissions

  1. Go to API permissions → Add a permission → Microsoft Graph → Delegated permissions
  2. Add: email, openid, profile, User.Read
  3. If your tenant requires admin consent, click Grant admin consent for <your directory>

Create a client secret

  1. Go to Certificates & secrets → New client secret
  2. Copy the secret's Value immediately — it is shown only once

Copy the Value, not the Secret ID

The Value cannot be retrieved after you leave the page; if you lose it, create a new secret.

Collect the IDs

From the Overview page, note the:

  • Application (client) ID
  • Directory (tenant) ID

Send the details to DigiUsher

Provide the following three values to DigiUsher:

  • Application (client) ID
  • Directory (tenant) ID
  • Client secret

Share the secret securely

Don't send the client secret over plain email. Instead, use a one-time secret service such as Onetimesecret to generate a self-destructing link, and share that link with DigiUsher.


What to Send DigiUsher

FieldWhere to Find
Application (client) IDApp registration → Overview
Directory (tenant) IDApp registration → Overview
Client SecretThe Value copied in Create a client secret

Restricted tenants

In tenants where user consent is restricted (common in regulated environments), users may see a "Need admin approval" prompt on first sign-in. An Entra admin needs to grant admin consent once for the app — via Enterprise applications → DigiUsher → Permissions → Grant admin consent.

The app only requests sign-in and basic profile read (email, openid, profile, User.Read); it has no write access.


Need Help?

If you encounter any issues not covered above, contact DigiUsher support at support@digiusher.com and the team will help you get set up.