SSO · Azure AD Instance

Note* At this time, SSO can only be used for authentication. We do not provision profiles through SSO.

To setup a specific Azure AD Instance we will need the following

  • Application (client) ID
  • Directory (tenant) ID
  • OpenID Connect metadata document
  • Application (client) Secret Value


  1. Register application
  2. Configure authentication
  3. Generate application secret
  4. Configure branding

1. Register Application

From “All Services” select “All” then scroll to “Azure Active Directory”

Under “App registrations” select “New registration.”

Fill out a new registration for KPA EHS.

  • Name: KPA EHS
  • Redirect URI:

Copy the following details

  • Application (client) ID
  • Directory (tenant) ID
  • OpenID Connect metadata document

2. Configure authentication


  • “ID tokens” ✅

API permissions

  • “Grant admin consent” ✅
    • If this is not enabled then any user can deny consent and be unable to sign-in.

3. Generate Application secret

Certificates & Secrets

  • Select “New client secret”
  • Description: KPA EHS
  • Expires: 24 months
    • Ideally, this would be the maximum allowed. SSO will stop working once this expires.
  • Copy the Value column to use for our Application (client) Secret Value
    • The Secret ID column is for your own reference.

4. Configure branding


The app registration should be complete.

With this we can test and enable SSO through the SSO Administration page.

Contact support if you have any questions.