Fullpath Microsoft Entra (Azure AD) SSO Integration: Frequently Asked Questions

Chaya David
  • Updated
Follow

This guide provides a comprehensive technical and security overview of Fullpath’s Single Sign-On (SSO) integration with Microsoft Entra (formerly Azure AD).

 

Section 1: Protocol & Architecture

What authentication protocol does the Fullpath SSO integration use? Fullpath utilizes the OIDC (OpenID Connect) Authorization Code flow. In this architecture, a Client Secret is used to authenticate our backend service when exchanging short-lived, single-use Authorization Codes for access tokens. We do not currently support SAML.

How is the Client Secret secured on Fullpath’s end? We treat your credentials with the highest security standards:

  • Storage: Secrets are managed centrally in AWS Secret Manager, never hardcoded or stored in plaintext.
  • Encryption: Secrets are encrypted at rest using AES-256 encryption.
  • Access Control: Access is restricted via least-privilege policies to specific authentication services only; unauthorized human access is prohibited.
  • Visibility: The secret is never returned in client-side requests. Once set, it can only be deleted or reset, not viewed.

What is the process for rotating an expiring Client Secret? If a secret expires, SSO logins will fail immediately. Fullpath does not currently send expiration notices; administrators should track this within Entra. We recommend a Zero Downtime Rotation:

  1. Generate a new secret in the Entra portal.
  2. Update the Fullpath Dashboard with the new Value.
  3. Delete the old secret from Entra once the update is confirmed.

 

Section 2: User Provisioning & Lifecycle

Does Fullpath support SCIM or JIT provisioning? Not currently. Automated provisioning via SCIM and Just-in-Time (JIT) account creation are on our product roadmap. At this time, all users must be manually pre-created in the Fullpath Dashboard with an email address matching their Entra account.

How does offboarding work without SCIM?

While full profile removal is manual, your security is protected by the SSO architecture:

  • Immediate Block: Once a user is disabled in Entra, they cannot authenticate to Fullpath.
  • Webhooks: We subscribe to Entra webhooks to receive delete notifications, which trigger a session logout for that user.

How does Fullpath handle active sessions if a user is disabled in Entra mid-session? Fullpath does not currently support Continuous Access Evaluation (CAE). However, we use Entra webhooks to trigger a logout if a user is deleted. If not deleted, the existing independent session (valid for one week) will persist until it expires or a logout is triggered.

 

Section 3: Session Management

Does Fullpath support Single Logout (SLO)? No. Logging out of Microsoft 365 or having an Entra session expire does not automatically terminate the Fullpath session. Users should explicitly log out of the Fullpath application, especially on shared workstations.

What is the session timeout, and is it configurable? The standard Fullpath session remains active for one week. This is a global setting and is not currently configurable per tenant.

 

Section 4: Access Control & Permissions

Can Azure AD groups be mapped to Fullpath roles? No. Group memberships are not currently passed in the OIDC token for role mapping. Roles and permission levels must be assigned manually within the Fullpath Dashboard during user creation.

What are the available permission levels? Permissions are assigned based on Scope (Group, Dealership, or Product) and Role:

  • Admin: Full access to edit settings, manage users, and export data.
  • Edit: Can adjust dashboard settings but cannot manage users or export data.
  • Read Only: Can view data and adjust filters/date ranges but cannot save changes or export data.

Can native username/password login be disabled? Yes. Enabling the "Enable Single Sign-On" toggle effectively overrides and suspends native authentication. This ensures users cannot bypass your Azure AD MFA and Conditional Access policies.

Is there a "Break-Glass" account? There is no customer-facing local break-glass account. In the event of an IDP outage, authorized Fullpath personnel can manually toggle SSO off from our backend to revert your tenant to native authentication.

 

Section 5: Azure AD Setup

What Entra roles and permissions are required?

  • Admin Role: Your internal admin needs Global Administrator (or a role capable of granting admin consent) only for the initial setup step. Ongoing management can be handled by a Cloud Application Administrator.
  • Graph Permissions: We require email, openid, profile, offline_access, and User.Read.All (the latter is required for webhook subscriptions).

 

Section 6: Security & Support

Does Fullpath have SOC 2 or Penetration Test reports?

  • Certifications: We hold ISO 27001 (Data Security) and ISO 42001 (AI Governance) certifications. We do not currently hold a SOC 2 Type II report.
  • Penetration Testing: We undergo regular third-party penetration testing. An attestation letter is available under NDA.

What is the support process if SSO fails? SSO failures are treated as high-priority "Blocked Access" incidents with a direct escalation path to engineering.

  • Active Session Buffer: Because session cookies last one week, users already logged in will remain active even if the SSO link is temporarily interrupted.
  • Emergency Reversion: If a persistent IDP outage occurs, we can revert your account to native authentication via the backend.