Set up SSO with Microsoft Entra ID (OpenID Connect)

To set up Yokoy to use Microsoft Entra ID (formerly Azure Active Directory) with OpenID Connect, you need to configure both Yokoy and your Microsoft Entra ID configuration. Depending on the step, you may need to perform actions in Yokoy or in Microsoft Entra ID.

In Microsoft Entra ID, you need to configure a OpenID Connect app that can connect to Yokoy. Yokoy has been listed as a certified Entra ID app to simplify the configuration steps. For more details on configuring OpenID Connect in Microsoft Entra ID, see OpenID Connect (OIDC) on the Microsoft identity platform.

To set up SSO to allow users to sign into Yokoy with their Entra ID:

Go to Enterprise applications and click + New application. Search for “Yokoy” in the search bar, and select Yokoy.

Click Create to add the app to your Microsoft Entra Gallery.

In the application overview, in Enterprise Applications, copy the Application ID. You need it when configuring OIDC in Yokoy.

Go to App registrations and click Yokoy SSO.

Select Endpoints and copy the Issuer URL. Store it as you need it to configure Yokoy.

To double-check that you are picking the right URL, the well-known issuer always contains the directory tenant ID.

In the app overview, click Certificates & Secrets. Click + new client secret and add a description and expiration date to the credentials newly generated.

Copy the value of the client secret as you need it to configure Yokoy.

To complete the set-up, you need to enter a callback URL.

Go to the Authentication section. Click +Add a platform, then select Web and continue.

Enter the callback redirect URI provided by Yokoy.

Clear the access tokens and ID tokens checkboxes as these are only needed for the unsafe implicit flow. The other fields can be left as is.

In Yokoy, go to Admin > Organization, Authentication tab.

Add your company’s domain by clicking +Add domain. Make sure to use the format yourcompany.com. Click Save.

You can add multiple domains for your organization. For example, if your company has different domains for various countries, make sure to add them all here (i.e. company.it, company.ch, company.de).

Once domains have been added, you can now proceed in choosing the authentication methodology you prefer. Click Add provider and select OpenID Connect (OIDC).

Enter the information retrieved from Microsoft Entra in the OpenID Connect section.

Add a label to the button that is displayed to end user in the Button text field.

This label is used with Sign in with. For example, the text shown is SSO (OIDC).

Save the configuration and proceed with testing. Once entering the domain mail address, you can see the SSO option. For example, you see an additional button above the password option: Sign in with SSO (OIDC)

You should set up a test user that you can use to test the full flow to ensure SSO is correctly configured. The test can include clicking on the SSO button. This can show if the application is configured correctly. If not, it may show errors like ”missing application“.

Once you have verified that SSO has been set up correctly and users can log in via SSO, then password authentication can be disabled for the organization to prevent login issues. Although this step is recommended, you can choose to allow both authentication methods.

To do this, go to Admin > Organization, Authentication tab and turn off the Enable password toggle.