Single Sign-On

28. toukokuuta 2024


Overview

With Single Sign-On (SSO), users can log in to Erply by authorizing through the company's existing identity platform, and users do not need a separate password for Erply. 

Disabling the user's account in the central identity system will also revoke their access to Erply.

Supported Identity Providers

Currently we support Microsoft Entra ID (formerly known as Microsoft Azure Active Directory) as an authorization platform. 

Upon request, we can look into supporting other Single Sign-On providers, such as Okta or Google Workspace.

Supported Erply Applications

Single Sign-On works with:

  • Erply back office
  • Brazil point of sale

Other apps are not supported at this point. To log into other apps, users need to enter their username and password, and turning off password authentication is therefore not possible

User Management

User accounts, user groups and their permissions need to be set up in Erply back office.

All users have to be entered manually to Erply back office (Employees > New Employee and User Account). Their username must match their primary email address in the identity system. Since user creation requires a password (even though it will not be needed), we recommend to set it to a long random value that is not stored anywhere and not disclosed to the user.

At the moment we do not support automatic creation of user accounts upon login, but we can look into it if needed. (It requires Erply to know how the roles in the identity system correspond to the user groups in Erply.)

Setup Steps

In Microsoft Entra ID, Erply must be registered as an "OpenID Connect" application, under Microsoft Entra ID > Applications.

(In the future, Erply might be "installable" from Azure Marketplace, but there is no definite timeline for that.)

The administrator must configure two “Redirect URIs” (type: “Web”). One can be added immediately, more URLs can be added later by editing the application's details.

Under "Authentication" -> "Implicit grant and hybrid flows", please check the box "ID tokens".

To continue the setup in Erply, two parameters are needed:

  • Directory ID (Tenant ID) — identifies the company
  • Application ID — this gets assigned to Erply when it is registered as an application

On an Erply account with a blue menu bar, please open Settings > Configuration Admin from the menu.

On accounts that do not have the menu bar, please type in the following URL and replace the end with your account number:

https://conf-admin-ui.erply.com/?clientCode=<your account number>

Open “Login & Security Settings”.

Fill in the section titled “Single Sign-On”:

  • Allow Single Sign-On: yes
  • Authority URL: https://login.microsoftonline.com/
  • Directory ID: see above
  • Application ID: see above

There are two further security restrictions that can be turned on. However, before enabling these, please complete the Single Sign-On setup and verify that the integration works correctly, and that you are able to log into Erply via SSO. Otherwise you might lock all users out of your account!

  • Deselect “Allow Password Login”: with this setting, login attempts from other Erply apps with a username and password will be rejected.
  • “Allow Only login.erply.com”: this will make Erply back office and Brazil POS automatically redirect to login.erply.com if user is not logged in.

Login Flow

Go to https://login.erply.com/.

Pick the "SSO" tab and enter your Erply account number.

The login button will redirect you through Microsoft servers for authentication. If you are already logged in with your Microsoft account, there won't be any additional prompts.

For a login to be successful, your Erply username must be the same as the email of your Microsoft account.

Brazil POS has an additional button “Log in with login.erply.com” on its login screen. Clicking the button will guide through the same login flow. (The initial screen at https://epos.erply.com/ still has the “username” and “password” fields, but turning off “Allow Password Login”, as explained above, will make these non-functional.)