Complete SSO Setup Guide

This guide will walk you through setting up Single Sign-On (SSO) for your organization, even if you've never configured SSO before.

Table of Contents
  1. What is SSO?
  2. Before You Begin
  3. Microsoft Entra ID (Azure AD) Setup
  4. Google Workspace Setup
  5. Okta Setup
  6. SAML 2.0 Setup
  7. Testing Your Configuration
  8. Troubleshooting

What is SSO?

Single Sign-On (SSO) allows your users to log in to Axiomly using their existing company credentials (like their Microsoft, Google, or Okta account) instead of creating a separate username and password.

Benefits of SSO:
  • βœ… Easier for users - One password for all company apps
  • βœ… More secure - Centralized password policies and MFA
  • βœ… Automatic provisioning - Users are created automatically on first login
  • βœ… Better control - Disable access from one central location

Before You Begin

What You'll Need:
  1. Admin access to your identity provider (Microsoft, Google, Okta, etc.)
  2. Tenant Admin role in Axiomly
  3. 30-60 minutes to complete the setup
  4. A test user account to verify the configuration
Important Information to Have Ready:
  • Your organization's domain name (e.g., company.com)
  • Access to your identity provider's admin portal
  • Ability to create new applications/registrations

Microsoft Entra ID Setup

Microsoft Entra ID (formerly Azure Active Directory) is Microsoft's cloud-based identity service.

Step 1: Register Axiomly in Azure Portal

  1. Go to Azure Portal
  2. Open Microsoft Entra ID
    • In the left menu, click "Microsoft Entra ID" (or search for it)
    • If you don't see it, click "All services" and search for "Microsoft Entra ID"
  3. Register a New Application
    • Click "App registrations" in the left menu
    • Click "+ New registration" at the top
    • Fill in the form:
      • Name: Axiomly AI Governance (or your preferred name)
      • Supported account types: Select "Accounts in this organizational directory only"
      • Redirect URI: Select "Web" and enter: https://www.axiomly.ai/signin-oidc
    • Click "Register"
  4. Copy Important Information
    • You'll see the "Overview" page
    • Copy and save these values:
      • Application (client) ID
      • Directory (tenant) ID

Step 2: Create a Client Secret

  1. Navigate to "Certificates & secrets" in the left menu
  2. Click "+ New client secret"
  3. Add description: Axiomly SSO Secret
  4. Choose expiration: 24 months (recommended)
  5. Click "Add"
  6. IMPORTANT: Copy the secret Value immediately - you won't be able to see it again!

Step 3: Configure API Permissions

  1. Click "API permissions" in the left menu
  2. Click "+ Add a permission"
  3. Select "Microsoft Graph" β†’ "Delegated permissions"
  4. Add these permissions: openid, profile, email, User.Read
  5. Click "Grant admin consent for [Your Organization]"
  6. Click "Yes" to confirm

Step 4: Configure Axiomly

  1. Log in to Axiomly as a Tenant Admin
  2. Navigate to: Tenant Admin β†’ SSO Configuration
  3. Click "Configure SSO" and select "Microsoft Entra ID"
  4. Fill in the configuration form with the values from previous steps
  5. Click "Save Configuration"

Step 5: Test the Configuration

  1. Log out of Axiomly
  2. On the login page, click "Sign in with Microsoft"
  3. Sign in with a test user account
  4. Verify you're redirected back to Axiomly and logged in
  5. Check that the user was automatically created in Tenant Admin β†’ Users

Google Workspace Setup

Google Workspace (formerly G Suite) is Google's cloud-based productivity suite.

Step 1: Create OAuth 2.0 Credentials

  1. Go to Google Cloud Console
  2. Create or select a project named Axiomly SSO
  3. Enable Google+ API from "APIs & Services" β†’ "Library"
  4. Configure OAuth consent screen:
    • Select "Internal" (for Google Workspace users only)
    • App name: Axiomly AI Governance
    • Add scopes: openid, profile, email
  5. Create OAuth Client ID:
    • Application type: "Web application"
    • Name: Axiomly SSO Client
    • Authorized redirect URI: https://www.axiomly.ai/signin-google
  6. Copy the Client ID and Client Secret

Step 2: Configure Axiomly

  1. Navigate to: Tenant Admin β†’ SSO Configuration
  2. Select "Google Workspace"
  3. Enter Client ID, Client Secret, and your company domain
  4. Save configuration

Step 3: Test

  1. Log out and click "Sign in with Google"
  2. Sign in with a test Google Workspace account
  3. Verify login and user creation

Okta Setup

Okta is a popular enterprise identity management platform.

Step 1: Create an Okta Application

  1. Log in to Okta Admin Console: https://your-company.okta.com/admin
  2. Click "Applications" β†’ "Create App Integration"
  3. Select: OIDC - OpenID Connect, Web Application
  4. Configure:
    • App name: Axiomly AI Governance
    • Grant type: Authorization Code
    • Sign-in redirect URI: https://www.axiomly.ai/signin-oidc
    • Sign-out redirect URI: https://www.axiomly.ai/signout-callback-oidc
  5. Copy Client ID and Client Secret

Step 2: Configure Axiomly

  1. Navigate to: Tenant Admin β†’ SSO Configuration
  2. Select "Okta"
  3. Enter Okta domain, Client ID, and Client Secret
  4. Save configuration

Step 3: Assign Users

  1. In Okta Admin, go to your Axiomly application
  2. Click "Assignments" tab
  3. Assign users or groups who should have access

SAML 2.0 Setup

SAML 2.0 is a generic protocol supported by many identity providers.

Step 1: Get Axiomly Service Provider Information

  • Entity ID: https://your-axiomly-domain.com
  • ACS URL: https://your-axiomly-domain.com/saml/acs
  • Single Logout URL: https://your-axiomly-domain.com/saml/logout

Step 2: Configure Your Identity Provider

  1. Create a new SAML 2.0 application in your IdP
  2. Configure SAML settings with the URLs above
  3. Set Name ID Format to "Email Address"
  4. Map attributes: email, firstName, lastName
  5. Download metadata XML or copy SSO URL and certificate

Step 3: Configure Axiomly

  1. Navigate to: Tenant Admin β†’ SSO Configuration
  2. Select "SAML 2.0"
  3. Enter Entity ID, SSO Endpoint, and Certificate
  4. Save configuration

Testing Your Configuration

Pre-Flight Checklist
  • ☐ Configuration saved successfully in Axiomly
  • ☐ Application/registration created in identity provider
  • ☐ Redirect URLs configured correctly
  • ☐ Client credentials copied accurately
  • ☐ Permissions/scopes granted
  • ☐ Test user account available
Testing Steps
  1. Test with a test account first (not your admin account)
  2. Clear browser cache or use incognito/private window
  3. Go to Axiomly login page and click the SSO button
  4. Sign in with test credentials at your identity provider
  5. Verify you're redirected back to Axiomly
  6. Check that user was created automatically in Tenant Admin β†’ Users
What Success Looks Like
  • βœ… User is redirected to identity provider
  • βœ… User can sign in with company credentials
  • βœ… User is redirected back to Axiomly
  • βœ… User account is created automatically
  • βœ… User can access Axiomly features
  • βœ… User information (name, email) is correct

Troubleshooting

Cause: The redirect URL in your identity provider doesn't match Axiomly's URL.

Solution:

  1. Check the redirect URL in your identity provider
  2. Ensure it exactly matches (check for typos, extra slashes, http vs https)
  3. Save changes and wait a few minutes for propagation

Cause: The client secret was copied incorrectly or has expired.

Solution:

  1. Go back to your identity provider
  2. Generate a new client secret
  3. Copy it carefully (no extra spaces)
  4. Update it in Axiomly SSO configuration

Cause: Missing permissions or incorrect attribute mapping.

Solution:

  1. Check that email, profile, and openid scopes are granted
  2. Verify admin consent was granted (for Microsoft)
  3. Check that the identity provider is sending email address
  4. Review Axiomly audit logs for error messages

Cause: User doesn't have permission in the identity provider.

Solution:

  1. Check user assignments in your identity provider
  2. For Okta: Assign user to the Axiomly application
  3. For Google: Verify user is in your Google Workspace
  4. For Microsoft: Check conditional access policies
Getting Help

If you're still having issues:

  1. Check Tenant Admin β†’ Audit Logs for SSO-related errors
  2. Review identity provider logs for failed authentication attempts
  3. Contact support with error messages and steps you've tried

Security Best Practices

Do's βœ…
  • Use strong client secrets (auto-generated)
  • Rotate secrets regularly (every 12-24 months)
  • Restrict access to specific domains/groups
  • Enable MFA in your identity provider
  • Monitor audit logs regularly
  • Test in staging first
  • Document your configuration
Don'ts ❌
  • Share client secrets via email or chat
  • Use same secret across multiple apps
  • Allow public access to SSO application
  • Skip testing before rollout
  • Forget to grant admin consent (Microsoft)
  • Use expired certificates (SAML)

Next Steps After Setup

  1. Communicate to Users - Send email announcing SSO availability
  2. Monitor Usage - Check audit logs for login activity
  3. Plan for Maintenance - Set reminders for secret rotation
  4. Consider Advanced Features - Group-based access, conditional policies

Glossary

SSO
Single Sign-On - Authentication method allowing one set of credentials across multiple applications
Identity Provider (IdP)
Service that manages user identities (Microsoft, Google, Okta, etc.)
Service Provider (SP)
Application using SSO (Axiomly in this case)
OAuth 2.0
Authorization protocol used by Microsoft, Google, Okta
SAML 2.0
XML-based authentication protocol
Client ID
Public identifier for your application
Client Secret
Private key for your application (keep secure!)
Redirect URI
URL where users return after authentication
Need More Help?