SuperOps lets you enable secure login for requesters through Single Sign-On (SSO) using Azure Active Directory (Azure AD). You can configure SSO either globally (for all requesters) or at a client-specific level.
Setting Up Global SSO with Azure AD
To set up SSO for Requester login with Azure AD and SuperOps, please follow the steps below.
📝Note: Separate SSO applications should be created in Azure AD for Technicians and Requesters. Refer to this article for detailed instructions on setting up SSO for Technician logins with Azure AD.
1. Login to your Azure AD instance.
2. Choose the Enterprise Application option from the navigation menu on the left.
3. Click on '+ New Application
4. Since we are yet to be listed in AD's marketplace, Click " + Create your own application".
5. Give it a name and choose the option, " Integrate any other application you don't find in the gallery (Non-gallery)".
6. Here, assign users who must have access to SuperOps.
7. Now choose, "Set up single sign-on" and choose SAML.
📝 Note: If you configure CNAME after setting up SSO, ensure that you update them in the corresponding Azure settings as well.
8. In the Basic SAML Configuration, fill in the following:
Identifier (Entity ID):
https://clientuser.superops.ai
(Mark this as default and delete any other default entries)
Reply URL:
Copy this from your SuperOps account:
Settings > Requester Login > SSO > Consumer Service URL
9. Next edit user attributes to pass the below values for SuperOps to allow the login requests coming in from Azure AD.
Click edit -> Add new claim, and add the below records ( Given as name - source attribute pair)
-> email - user.mail
-> firstname - {placeholder used for first name in your instance}
-> lastname - {placeholder used for first name in your instance}
⚠️ These attributes are case-sensitive. Use the exact values as mentioned above to avoid login issues.
10. To add the certificate under SuperOps, download the Base64 certificate available under section "3. SAML Signing Certificate" and open it in Notepad.
11. Copy the entire certificate text.
In SuperOps, go to:
Settings > Requester Login > SSO Protected > Global SSO > Certificate
Paste the certificate here.
In Azure, locate the Login URL under Section 4.
Paste it in SuperOps under:
Settings > Requester Login > SSO Protected > Global SSO > Login URL.
12. That’s it! Your global SSO setup is now complete. 🎉
Setting Up Client-Level SSO
If you want to enable SSO for specific clients (instead of globally), follow the same steps as above with one key difference:
1. Generate a Client-Specific Entity ID and Service URL
Navigate to:
Settings > Requester Login > SSO Protected > Client SSOClick + Configuration
Generate a new client-specific Entity ID
Copy the generated:
Entity ID
Consumer Service URL
Back in Azure:
Use the Client-specific Entity ID and Service URL during the Basic SAML configuration.
Proceed with the remaining Azure steps (attribute setup, certificate download, login URL copy), just like in the Global SSO section.
In SuperOps:
Give your SSO configuration a name.
Select the client(s) to associate with this configuration.
Paste the Login URL and Certificate from Azure.
⚠️ Note: You can set up only one SSO configuration per client.
If you want to move a client to a different configuration, you must first remove them from the existing one or disable that configuration. Only then can the client be added to a new SSO setup.
💡Things to Keep in Mind
Switching between login methods:
If Global SSO is enabled, you cannot switch to Client SSO or Password Protected without first disabling Global SSO.
If you’re using Client SSO, you can switch to Password Protected directly.
Moving from Client SSO to Global SSO:
You must first delete all existing client SSO configurations before enabling Global SSO.
Azure credentials are not reusable across Global and Client SSO:
If you're switching from Global SSO to Client SSO, you cannot reuse the same Azure IDP login URL and certificate.
You’ll need to generate a fresh login URL and certificate for each new client SSO configuration.