Many companies requests SSO support making it easier and more secure to manage user accounts. This article goes into details about the SSO support in SynergyXR.
Short answer
Yes, from version 3.2 and onwards, SynergyXR supports SSO using Microsoft Entra ID (previously known as Azure AD).
A simple setup process is required:
- We need your Microsoft Tenant ID to enable SSO for your users.
- We will provide with a link for admin pre-consent, ensuring that SynergyXR is allowed to use your Entra ID for authentication.
Once consent for Entra ID authentication is given, you are ready to create users using Entra ID for authentication.
User creation
In SynergyXR Manager navigate to the "Users" tab of your Workspace and click the "Add user" button on the top right.
After specifying the e-mail of the user, you get to add the users name and select which authentication method the user must use:
- SynergyXR ID: The built-in authentication service built on Duende Identity Server 4.
- Microsoft Entra ID: Authenticate the user against your existing Entra ID.
Finally, you get to select the users role in the Workspace, and create the user. To finish the user creation process the user will then receive an e-mail:
- SynergyXR ID: The user must follow a link to specify their password.
- Microsoft Entra ID: The user must login using their exising Entra ID account to finalize the user creation process.
User login
When launching SynergyXR, users are requested to enter their e-mail:
If users select the "Remember me" option, SynergyXR will automatically store and use the refresh token to create a new access token on subsequest logins within the period of validity.
SynergyXR will automatically identify the authentication method for the user - in case of Microsoft Entra ID, the SSO flow is launched asking the user to enter their password:
In case Multi-Factor Authentication (MFA) is configured for your tenant, this will automatically be launched as part of the SSO flow:
Troubleshooting
Depending on how your organizations Entra ID tenant is configured, several things might be blocking users from logging in to SynergyXR:
User assignment
Organizations can require that users must first be assigned to applications before being able to access it. This setting is configured individually for each enterprise application and is available under your tenants Enterprise Application "Properties" page for SynergyXR:
If this setting is set to "Yes", either assign the relevant users to the SynergyXR app, or change it to "No" to allow all your users.
Conditional Access Policy
Your organization may have Conditional Access Policies that are blocking the login, e.g. due to device compliance, location or network restrictions.
Device-related requirements in these policies can block users from logging in to SynergyXR, as SynergyXR does not currently forward the device status, and supports a variety of devices which are not commonly managed by MDM systems.
An example can be seen below:
If the option "Require device to be marked as compliant" and/or "Require Microsoft Entra hybrid joined device" is enforced for SynergyXR with no alternatives selected, the SSO flow is blocked. We, instead, advise users to use the "Require multifactor authentication" option if added security measures are needed.
To make the SSO flow as secure and standardized as possible, SynergyXR utilizes an embedded browser to handle the SSO following standard OAuth/OIDC flows. This browser does not properly inherit the "compliant" status of the hardware device executing SynergyXR - so access is not granted.