Share:
ClickHelp Documentation

Use Microsoft Azure AD as SSO Provider

Information When using SSO, you need to create user accounts in ClickHelp for each SSO user that authenticates with a 3rd-party service. This is required so ClickHelp can apply specific permissions to the authenticated user, and those permissions are configured in a ClickHelp user profile. You can use ClickHelp REST API to bulk-create users, or to create a new ClickHelp user every time a new application user is getting created on your end.

The Azure SSO provider allows users to log into a ClickHelp portal using their Azure Active Directory accounts. It is possible to make the portal a single-tenant application and allow only users from a specific Azure AD to log in to the portal, or make the portal multi-tenant and work with users from any Azure AD tenants.

Only Azure Active Directory (Work or School) accounts are supported. Microsoft (personal) accounts are not supported.

  • Open the Azure portal, go to Azure Active Directory
     
  • Click App registrations.

  • Click "New registration" link or the "Register an application" button.
       
  • On the Register an application screen specify the application name, desired access type (single or multitenant), application type (select Web) and the ClickHelp redirect URL. Click Register to proceed.

  • The application is added. Now, we need to get some details about it. If the application widget is not opened automatically, click the application name on the App Registrations screen.

  • Find the Application (client) ID and Directory (tenant) ID fields in the application widget. The value of the first field is the Client ID needed to set up the OpenID Connect provider in ClickHelp, and the second value is the tenant id that will be needed as well. Copy the values somewhere to use them later.
     
  • Click Certificates $ secrets, then New client secret and specify a name for a new client secret, select the desired duration for the secret and click Add to generate the value. Copy the generated string and save it somewhere - this is the new application’s client_secret.

Warning
Please note that this is the only time when you can see the password in the Azure portal.
  • Now open the SSO Settings page in your ClickHelp portal, go to Tools > Portal Settings > Administration > Single Sign-on.

  • Populate the corresponding fields of the Azure client in ClickHelp with the values taken from Azure. For the Tenant field use either the tenant id or the domain name (whatever you like).
    In case you want to make users from several tenants access your ClickHelp portal, check the Multitenant box. Enable the connection and save changes. 

  • Now it is possible to log in to the portal using Azure Active Directory accounts. To make the portal to log in the user, the email address of the AD account should be the same as the address of the corresponding ClickHelp account.

  • When logging in to the portal with the Azure AD account for the first time, you will be prompted to accept the ClickHelp portal’s request for permissions to read the Azure AD user profile.