HaloITSM

HaloITSM Guides

Documentation to assist with the setup and configuration of the HaloITSM platform

Guides > Enabling Microsoft Entra and/ or CSP with Single Sign on For Agents and Users

Enabling Microsoft Entra and/ or CSP with Single Sign on For Agents and Users

Single Sign on for Microsoft Entra ID (Formerly Azure Active Directory)


Redirect URLs and Authorization

In the Authentication tab of App Registration, add valid redirect URIs. Begin by selecting "Web" as the platform, and register your Halo web application URL as the initial redirect URI. This registration allows you to include additional redirect URIs based on your specific requirements.


For integration functionality, specific redirect URIs are required:

  • User Portal Single Sign-On (SSO):
    • <Halo Web App User Portal URL>/auth/account/azureresponse
  • Agent Portal Single Sign-On (SSO):
    • <Halo Web App URL>/auth/account/azureresponse
  • User/Agent Import:
    • <Halo Web App URL>/azure/auth


Note: URLs starting with <URL>/auth assume a commonly used authorization URL. Keep in mind that this URL may vary for on-premise installations of Halo. If experiencing issues with SSO functionality, double-check and confirm the correct authorization URL, accessible in the Agent portal under Configuration > Integrations > Halo API.


Single Sign-On (SSO) Configuration

Navigate to Configuration > Integrations > Azure Active Directory, where you'll find settings related to the tenant/application type for Single Sign-On (SSO). You can either edit the default connection or create a new one. If creating a new connection, select "New" and give it a unique name. In the details tab, choose the tenant type configured in Azure. For multi-tenanted apps in Single Sign-On, add the Azure tenant ID for each tenant you want to access the app. Enter credentials for the App Registration used in this connection. Key configurations to note:

  • The "Published" checkbox activates SSO entirely. Enable this to use SSO once configuration is complete.
  • The "Allow Single Sign-On for Agents and/or Users" dropdown lets you specify which Halo members can use SSO.
  • The "Automatically redirect Agents and Users to Azure without showing the HaloITSM login screen." checkbox forces agents and users to use SSO instead of their Halo credentials.

NB: If you are connecting Azure Active Directory for just your organization meaning the "Tenant/Application Type is Single Tenant (HaloITSM in most cases). Then you will be setting up a single tenancy app registration on azure. If you are connecting Azure Active Directory for multiple organizations (mainly used by HaloPSA customers if they are not connecting with CSP. CSP is recommended for syncing customer information to Halo as an MSP - CSP Guide) you should be using a multi tenancy app registration.




Single Sign on for Microsoft CSP Tenants


After Setting up the Microsoft CSP Integration, the user portal in Halo can be set up to enable single sign on for the users in your partner centre.


To begin this set up, we must first enable the Microsoft Entra ID integration module in Halo (If not already being used to sync over agent information):


Next, navigate to the Single Sign On tab found within the Microsoft Entra ID module:


The multi tenant credentials to enter, will be the same credentials used for your multi tenant app registration used for the CSP integration. 


The Redirect URI's to add into the Azure multi tenant app registration are:

  • For SSO on the Agent Application you require: https://{YOUR HALO DOMAIN}/auth/account/azureresponse
  • For SSO on the User Portal you require: https://{YOUR HALO DOMAIN}/portal/auth/account/azureresponse (if the portal is the same URL as the Agent App
  • For SSO on the User Portal you require: https://{YOUR HALO PORTAL DOMAIN}/portal/auth/account/azureresponse (if the portal is a different URL from the Agent App)


Set the Sign-In Scope to:


Now within the tenants tab of the CSP integration module, enable the following setting:


The next few settings should be set the following way, with the last thing being publishing the application. SSO can be enabled for Users, Agents or Agents & Users, this is chosen on the below single select field shown:

Popular Guides

Pin It on Pinterest