SSO with Azure

This page provides step-by-step instructions for configuring Azure Active Directory (now Microsoft Entra ID) as the single sign-on provider for xAssets. Azure AD is the most commonly used SSO provider with xAssets.

Prerequisites

• An Azure Active Directory tenant
• Azure Portal administrator access to create application registrations
• Configuration-level access to xAssets
• The SSOADMIN account created and in the Admins group (see SSO Introduction and Setup)

Step 1: Create an Application Registration in Azure

1. Sign in to the Azure Portal
2. Navigate to Azure Active Directory > App Registrations > New Registration
3. Name the application (e.g., "xAssets SSO")
4. Set the supported account type as appropriate for your organisation
5. Click Register

Note the Key Values

From the application overview page, copy the following values -- you will need them for the xAssets credential pack:

• Directory (Tenant) ID -- found on the Azure AD overview page

• Application (Client) ID -- found on the application overview page

Step 2: Configure the Application

Open the application registration and configure the following:

Create a Client Secret

1. Navigate to Certificates & Secrets > New Client Secret
2. Add a description and set an expiration period
3. Click Add
4. Copy the Value immediately -- it is only displayed once. This is the password for the credential pack.

Warning: Client secrets have expiration dates. Set a calendar reminder to renew the secret before it expires, or SSO will stop working. When renewing, create a new secret, update the xAssets credential pack, then delete the old secret.

Configure Authentication

1. Navigate to the Authentication page
2. Tick ID tokens under "Implicit grant and hybrid flows"

Grant API Permissions

1. Navigate to the API Permissions page
2. Ensure the following permissions are granted: Microsoft Graph > OpenID and User.Read

3. Click Grant admin consent if prompted

Register Redirect URIs

1. Navigate to the Authentication page
2. Under Redirect URIs, add your xAssets URL in the form:

https://mycompanyname.hosted.xassets.net/a.aspx

Make sure ID Tokens is also ticked on this screen.

Warning: The redirect URI must match your xAssets URL exactly, including the protocol (https), domain name, and path (/a.aspx). A mismatch will cause authentication to fail with a redirect error.

Step 3: Create a Credential Pack in xAssets

1. Navigate to the credentials area: click Settings (top right) > Credentials
2. Click New to create a new credential pack
3. Set the type to Single Sign On
4. Name the pack Azure (without quotes)
5. Fill in the values:

Note: Do not worry if you already have a credential pack called "Azure" for Azure VM or Entra ID data integration. The SSO pack is saved with a different internal name and will not conflict. If you need to recreate the SSO pack, it cannot be edited -- simply click "New" and create a new pack with the same name to overwrite the old one.

Step 4: Set the Authentication Type

1. Navigate to Admin > Settings
2. Set AUTHENTICATIONID to Azure AD

Azure authentication will now be invoked whenever the login page or main screen is visited without an existing valid token.

Step 5: Test the Login

1. Open a new private/incognito browser window
2. Navigate to your xAssets URL
3. You should be redirected to the Microsoft login page
4. After successful authentication, you should be returned to xAssets and logged in

If the login fails, see Troubleshooting. To log in without SSO for troubleshooting, use:

https://mycompany.hosted.xassets.net/a.aspx?logondirect=direct

Related Articles

• Azure User Groups — mapping Azure AD groups to xAssets user groups
• SSO Introduction and Setup — general SSO enablement steps
• Troubleshooting — diagnosing login failures
• Azure Direct Integration — Azure data integration (separate from SSO)