HaloITSM

HaloITSM Guides

Documentation to assist with the setup and configuration of the HaloITSM platform

Guides > Microsoft Entra ID: Single Sign On (B2B)

Microsoft Entra ID: Single Sign On (B2B)

In this guide we will cover:

- SSO for Entra ID

- SSO for CSP

- Remembering Agent/User Logins

- Bypass 2FA with SSO



Related Guides:


What is B2B Single Sign-On (SSO)? 


Single Sign-On via a B2B connection allows your agents and users to sign in to Halo using their Entra-managed Microsoft credentials; allowing secure, centralised access management to Halo using existing identities. 


Who can use B2B SSO?


B2B SSO is appropriate when all users who need to log in to Halo already exist in one or more Microsoft Entra tenants. This model is commonly used by organisations running HaloPSA or HaloITSM, where internal staff and/or managed client users are already provisioned within an Entra ID tenant. 


If you would like anyone to be able to log in and sign up to your Halo portal using various authentication sources including personal Microsoft accounts, you will need to use B2C SSO. This is typically used by organisations using HaloCRM. 



Prerequisites


While not explicitly required, we recommend the below are configured before SSO if they are relevant to yourselves: 


Configuration Options


You will need to configure an App Registration within your own Azure tenant. Before you do, you need to consider the following points. 


Single or Multi Tenant Configuration:


The Halo SSO application can be single or multi tenant. 


Single tenant only allows Entra uses who are members of the same tenant as the one where the app registration is configured to sign-in. Multi-tenant applications allow Entra users from multiple tenants to sign in (restrictions on tenants can be configured in Halo). 


Our HaloITSM clients, which typically only have one Azure tenant will generally use a single tenant application. 


Our HaloPSA clients who wish their managed users to be able to use SSO along with HaloITSM clients with more than one tenant should configure a multi-tenant application. 



Redirect URLs and Authorization


In the Authentication tab of App Registration, you will need to add valid redirect URIs. Depending on whether you intend to allow Agents, Users or both to use SSO will determine the Redirect URI(s) that are required to be registered. 


The format for the Agent and User Redirect URIs are as follows:


  • Agent Portal Single Sign-On (SSO):
    • <Halo Web App URL>/auth/account/azureresponse
  • User Portal Single Sign-On (SSO):
    • <Halo Web App User Portal URL>/auth/account/azureresponse


App Registration Configuration


Once you have decided the application type and which redirect URIs you require, follow the following steps to configure the app registration with your Entra ID tenant.


Open the Entra Admin Center (or similar) and navigate to the App Registration section. Click "New Registration".

Fig 1. App registration creation screen


On the registration screen you will want to fill out:


Name: Be aware this could be visible to end-users, so choose a sensible name.

Supported Account Type: Single or Multi depending upon your organisation's requirements

Redirect URI: Insert the needed RedirectURI if using one (if you need both steps are shown below to add the other)


Fig 2. App registration registration screen


Click "Register". Once registered, copy the "Application (client) ID" and "Directory (tenant) ID" from the Overview tab and store them safely, as these will be needed later.


Fig 3. App registration overview


Navigate to the 'API permissions' tab and remove the default 'User.Read' permission.


Fig 4. App registration default API permissions


Click 'Add a permission', choose 'Microsoft Graph' and choose openid as your permission. If the permissions on the integration's configuration page and the guide differ, use what the integration page in Halo gives and report this difference to our support team. 


Fig 5. App registration configured API permissions


Now navigate to the 'Authentication' tab and insert the second redirect URI if needed into the box entitled 'Web' at the top. Then enable 'ID tokens' under 'Implicit grant and hybrid flows'


Fig 6. App registration authentication configuration


Halo Configuration


Once the App Registration is successfully configured, navigate to Configuration > Integrations > Entra ID > Single Sign On, where you'll find settings related to the tenant/application type for Single Sign-On (SSO). 


Fig 7. SSO blank configuration screen


The configuration options are as follows:


  • Tenant/Application Type - Allows you to choose between single or multi tenanted configuration as discussed in 'Configuration Options'
  • Azure Tenant ID - Enter the Tenant ID you copied from the App Registration configuration
  • Azure Application ID - Enter the Application ID you copied from the App Registration configuration
  • Federated Domain - This can be used if Azure authentication requests in your tenant are forwarded to an ADFS server to streamline the SSO procedure in Halo. You will need to enter the fully qualified domain name for your ADFS server in the field here. 
  • Azure Tenant Sign-In Scope - Only required if your application is multi-tenanted. This determines which users can sign in with SSO. We recommend setting this to ‘allow users from a restricted list’ as this is more secure. When this option is selected, you will need to enter the tenant IDs of the tenants that are allowed to use SSO. Only users/agents in these tenant will then be able to use SSO. The CSP integration can automate this for your managed clients. The other option is to allow all Azure tenants without listing the tenants allowed.
  • Graph Endpoint -  Here choose which graph endpoint you are using, this will the default for the vast majority of clients
  • Published - This checkbox activated SSO. Enable this once configuration is complete. 
  • Allow Single Sign-On for Agents and/or Users - Determines who can use SSO, agent and/or users. 
  • Automatically create unmatched users that login with Azure AD but aren't present in Halo- When this is enabled, new users can be created using SSO. If a user logs into the Halo portal with an account that does not currently exist as a user account in Halo, a new Halo user account will be made for them. 
  • Automatically redirect Agents to Azure without showing the Halo login screen- Agents will not see the Halo Login screen when accessing the Halo agent app, they will automatically be re-directed to MS login. 
    • Recommended if you want to enforce Entra SSO sign-in and use no other identity provider for agents
  • Automatically redirect Users to Azure without showing the Halo login screen- Users will not see the Halo Login screen when accessing the Halo portal, they will automatically be re-directed to MS login.
    • Recommended if you would like to enforce Entra SSO sign-in and use no other identity provider for users. You can enforce this on a client by client basis by enabling the following setting at the client's profile under Settings tab > Self Service PortaFig 3. Redirect when logging in with Halo credentials.
  • Use the unique identifier of the Agent/User for single sign-on instead of their email address - Agents and users will only be able to login using their unique identifier instead of their email. This will only work for agents/users that have been imported from Entra or CSP as this is required to obtain their unique identifier.
  • Enable Single-Logout (SLO) - When this is enabled, logging out of their MS account anywhere, e.g. OneDrive will also log them out of Halo; conversely if you log out of Halo, this will log you out of 365 entirely. Useful if you would like to only have to log out once at the end of the day, but you may want to disable this if you would like to be able to log out of one application but remain signed in to another.

Your configuration should look something like the below, multi-tenanted example: 


Fig 8. SSO configuration completed


While the configuration is now complete, if using a multi-tenanted app registration or in certain tenants with more stringent security requirements an admin might need to consent or allow users to access the enterprise app in order to be able to use it. Halo recommends the administrator that has configured the App Registration and setup in Halo tests the SSO configuration and grants any necessary consents/ access on behalf of their (managed) users.



Remembering Agent/User Logins


To streamline the log in process, you can allow agents and users to have their login details 'remembered' so they need not enter their password to log in each time. To enable this functionality, head to Configuration > Advanced Settings, and enable 'Remember Me when using a SSO method'. 


Fig 9. Enabling Remember Me for SSO


When enabled, a 'Remember Me' setting will appear on the login screen so agents/users can choose to have their login details remembered for next time. 


Bypass 2FA with SSO


To allow agents/users using SSO to bypass Halo 2FA head to Configuration > Advanced Settings and enable 'Bypass Halo 2FA if logging in with Single Sign-On'.


When enabled, 2FA procedures will be automatically bypassed when agents/users are using SSO to log in. 


Fig 10. Enable Halo SSO bypass when using SSO


Don't ask for 2FA again when using SSO


When using 2FA with Halo login credentials, agents/users will have an option to check 'Don't ask again' when completing 2FA so they need not complete 2FA once more when logging in with the same device. 


This functionality can be expanded to include SSO. You first need to ensure you have enabled Halo 2FA procedures (forced for everyone or enabled per agent). You will also need to enable the 'Don't ask again on this browser' option, enabled under Configuration > Advanced Settings. 


Fig 11. Enabling Don't ask again


Once setup, then enable 'Allow Halo 2FA if logging in with Azure Single Sign-On' under Configuration > Advanced Settings. 

 

Fig 12. Enabling 2FA bypass if previously provided 2FA


When this is enabled, an additional cookie will be stored to allow agents/users to skip 2FA if they have checked 'Don't ask again' when logging in previously. 

Popular Guides

Pin It on Pinterest