Single Sign-On (SSO) — Group-level settings

Chaya David
  • Updated
Follow

 

Overview

Single Sign-On (SSO) lets users log in once with a single set of credentials to access multiple applications. Fullpath SSO supports Okta and Microsoft Entra as identity providers. Configuration is done at the group level in the Dashboard and requires administrative access both in the Dashboard and in the customer’s Okta/Entra tenant.

 

Scope

This article explains how to configure and enable Single Sign-On (SSO) at the group (enterprise) level in the Dashboard, and links to further documentation which provides vendor-specific, step-by-step instructions for creating the required OIDC app inside Okta and Microsoft Entra (Azure AD). Intended for Group Level Customer Admins and Customer Success / Technical Support staff assisting customers.

 

Technical eligibility

Feature level: Enterprise / Group feature (must have 2 or more rooftops connected as a group)

Platform: CDP Pro required

Supported IdPs: Okta and Microsoft Entra (Azure AD).

Required external access: Admin access to the customer’s Okta or Microsoft Entra tenant to create/configure the OIDC application.


Roles and permissions

  • Must be a Group Level Admin in the Fullpath Dashboard to view and edit SSO settings.
     
  • Must have administrative privileges in the Fullpath Dashboard to create end-user credentials who will then be able to log into the Fullpath Dashboard using SSO after setup and configuration is complete.
     
  • Must have administrative privileges in your IdP (Okta/Entra) to create an OIDC application and obtain credentials.


Navigation

Dashboard > Groups > [Select Group] > Settings > Single Sign-On (SSO)

 


Screenshot 2025-08-13 at 1.01.49 PM.png
 

Before you begin — prerequisites

  1. Confirm the group is on an enterprise plan and SSO at the group level is supported.
  2. Have admin access to the IdP (Okta or Microsoft Entra).
  3. Obtain or be ready to obtain:
    • Client ID (Azure refers to this as Application ID)
    • Client Secret
    • Tenant ID (Azure refers to this as Directory Tenant ID) or Org/Issuer info (Okta)
    • Authorization Server ID or issuer URL (from IdP OpenID configuration)
  4. Decide which scopes you need (Open ID, Email, Profile, Online Access).
    • Note: scope selection is optional; all other fields are required.
  5. Copy the Dashboard’s SSO Redirect URL (it will appear once required fields are entered) and add it to the IdP’s app configuration exactly.

 

 

How to configure SSO in the Dashboard (quick)


1. Sign in with a Group Level Admin account.

2. Go to Groups > [Select Group] > Settings > Single Sign-On (SSO).

3. Select IdP type (Okta or Microsoft Entra).

4. Enter required fields (Client ID, Client Secret, Tenant ID, Authorization Server ID).

5. (Optional) Select Scope.

6. Copy the SSO Homepage URL and SSO Redirect URL that appear, and add them into the IdP app as required.

7. Click the blue Save button (lower-right) to persist changes.

8. Toggle Enable ON to push SSO live > Click Save.


Wait up to 15 minutes for propagation.



 


 

Dashboard-specific tips for both vendors

  • After entering Client ID, Client Secret, Tenant ID, and Authorization Server ID in the Dashboard, the SSO Redirect URL and SSO Homepage URL will appear — copy these exactly into the IdP settings inside Entra / Okta backend Dashboards.
     
  • Scopes: include openid at minimum. If using profile/email claims, include profile and email. If refresh tokens are required, include online_access (offline_access for Azure).
     
  • Save partially completed configuration with the blue Save button; you can return later.


     
  • Toggle Enable ON only after you have added Redirect URIs and completed any IdP admin steps; wait up to 15 minutes for propagation after enabling.
     

Screenshot 2025-08-13 at 12.58.57 PM.png

 

 

Other important points

  • Configuration can be completed in phases; use Save to persist intermediate work.
     
  • If a client secret is rotated in the IdP, update the Dashboard immediately and re-save/re-enable as needed.
     
  • Keep client secrets secure; follow your organization’s rotation policies.
     
  • If you need help collecting IdP values (Client ID, Secret, Tenant ID, Authorization Server ID), contact the IdP admin or open a support case with IdP logs and Dashboard configuration details.
     
  • idp users:
    • Can’t reset password and login via password
    • Can’t create new users - differences in user managements
       
  • Sso users can not use 2fa / user password
     

  • Once configuration is complete and users have been added, save and use THIS LOGIN LINK to enter the Fullpath Dashboard: https://dashboard.fullpath.com/auth/login?show_sso_login=true 
     

    >> select the relevant SSO option - do not try to enter using Microsoft or Google once your user has been added via SSO

    Screenshot 2026-01-14 at 12.01.47 PM.png