SSO Setup Guide
This guide walks you through setting up Single Sign-On (SSO) in Hyperfox using Microsoft Entra ID (formerly Azure AD). With SSO enabled, users authenticate through your organisation's identity provider instead of using a password.
Hyperfox implements SSO using the OpenID Connect (OIDC) protocol. SAML-based authentication is not supported. For automatic user provisioning, Hyperfox supports the SCIM 2.0 standard.
Table of Contents
Prerequisites
Before you begin, make sure you have the following:
Administrator access to the Hyperfox admin panel.
An Azure application with a configured client secret. If you do not have one yet, see Creating an Azure Application at the end of this guide.
The following values from your Azure application:
Tenant ID
Client ID (Application ID)
Client Secret
Tip: If you plan to use SCIM provisioning for automatic user synchronisation, make sure to create an Enterprise application in Azure rather than a standard App Registration. The Provisioning feature required for SCIM is only available on Enterprise applications. Setting this up correctly from the start saves you from having to recreate the application later.
Note: Hyperfox also supports Google Workspace as an SSO provider. This guide covers the Microsoft Entra ID setup only. If you wish to use Google Workspace, the configuration steps within Hyperfox are similar, but you will need to set up the corresponding credentials in the Google Cloud Console independently.
Overview
The SSO setup in Hyperfox is done from the Security tab in the admin panel. The process consists of three main steps:
Add an SSO provider in Hyperfox with your Azure credentials.
Copy the generated callback URL and configure it in your Azure App Registration.
Enable the SSO provider.
Step 1: Add an SSO Provider in Hyperfox
In the Hyperfox admin panel, navigate to Settings > Security.
Click the "+ Add Provider" button.
A side panel will open. Fill in the following fields:
Provider Type β Select Microsoft Entra ID.
Tenant ID β Your Azure tenant ID.
Client ID β The Application (client) ID from your Azure App Registration.
Client Secret β The client secret value you created in Azure.
Click "Add SSO Provider" to save.
After saving, a new provider card will appear on the Security page. The provider will be in a Disabled state β this is expected. You first need to configure the callback URL in Azure before enabling it.
Step 2: Configure the Callback URL in Azure
After the provider is created, a Callback URL is displayed on the provider card.
Copy the Callback URL from the provider card in Hyperfox.
Go to the Azure Portal and navigate to your App Registration.
Go to Authentication in the left menu.
Under Redirect URIs, click "Add a platform" or "Add redirect URI".
Paste the callback URL you copied from Hyperfox.
Click Save.
Important: The callback URL must match exactly. Make sure there are no trailing spaces or missing characters when pasting.
Step 3: Enable the SSO Provider
Once the callback URL is configured in Azure, you can enable the provider in Hyperfox.
On the Security page, find your SSO provider card.
Click "Manage SSO Settings" to open the edit panel.
Toggle the Enable switch to activate the provider.
Click "Edit SSO Provider" to save.
The provider card will now show a green Enabled badge. Users can now sign in using their Microsoft Entra ID credentials.
Step 4: Require SSO Login (Optional)
Once the SSO provider is enabled, you can optionally enforce SSO for all users.
On the Security page, locate the "Require SSO Login" setting.
Enable this option.
When enabled, all users must authenticate through the configured SSO provider. Password-based login will be disabled.
Warning: Before enabling this setting, make sure the SSO provider is fully configured and tested. If SSO is misconfigured, users (including administrators) may be locked out.
SCIM 2.0 User Provisioning
Hyperfox supports SCIM 2.0 (System for Cross-domain Identity Management) for automatic user provisioning. With SCIM, user accounts in Hyperfox are automatically created, updated, and deactivated based on changes in your identity provider β removing the need to manage users manually.
Generating a SCIM Token
Once your SSO provider is created, you can set up SCIM from the provider card on the Security page.
On the provider card, click "Generate SCIM Token".
A confirmation dialog will appear warning that generating a new token will replace any existing token and that existing SCIM integrations will stop working. Click "Generate" to proceed.
The generated token will be displayed. Copy the token immediately β it will not be shown again.
Click "Done" to close the dialog.
Important: Store the SCIM token securely. If you lose it, you will need to generate a new one using the "Reset SCIM token" link on the provider card. This will invalidate the previous token and break any existing SCIM integrations until you update them with the new token.
Configuring SCIM in Azure
After generating the token, the provider card will display a SCIM URL. You need both the SCIM URL and the token to configure provisioning in Azure.
Important: SCIM provisioning requires an Enterprise application in Azure. The Provisioning feature is not available on App Registrations created from the "App registrations" page. If you initially created an App Registration, you must create a new Enterprise application instead to use SCIM. The Enterprise application can use the same underlying App Registration for SSO, but provisioning can only be configured from the Enterprise application.
In the Azure Portal, navigate to Microsoft Entra ID > Enterprise applications.
Select your Hyperfox application (or create a new Enterprise application if you only have an App Registration).
Go to Provisioning in the left menu.
Set the Provisioning Mode to Automatic.
Under Admin Credentials, fill in:
Tenant URL β Paste the SCIM URL from the Hyperfox provider card.
Secret Token β Paste the SCIM token you copied earlier.
Click "Test Connection" to verify that Azure can connect to the Hyperfox SCIM endpoint.
Click "Save".
Under Settings, set the Provisioning Status to On.
Azure will now automatically synchronise user accounts to Hyperfox. You can monitor the provisioning status and logs from the Provisioning page in Azure.
Creating an Azure Application
If you do not yet have an Azure application configured, follow these steps to create one. We recommend creating an Enterprise application, as this is required if you want to use SCIM provisioning.
Step 1: Create an Enterprise Application
Sign in to the Azure Portal.
Navigate to Microsoft Entra ID > Enterprise applications.
Click "New application".
Click "Create your own application".
Enter a name for the application (e.g. "Hyperfox SSO").
Select "Integrate any other application you don't find in the gallery (Non-gallery)".
Click "Create".
This creates both an Enterprise application and an underlying App Registration. You will need the App Registration to retrieve your IDs and create a client secret.
Step 2: Note Your IDs
Navigate to Microsoft Entra ID > App registrations.
Click the "All applications" tab and select the application you just created.
On the application overview page, copy and save the following values β you will need them when configuring Hyperfox:
Application (client) ID
Directory (tenant) ID
Step 3: Create a Client Secret
In the left menu of your App Registration, click "Certificates & secrets".
Under Client secrets, click "New client secret".
Enter a description (e.g. "Hyperfox SSO") and select an expiry period.
Click "Add".
Copy the secret value immediately β it will only be shown once.
Important: Store the client secret securely. If you lose it, you will need to create a new one.
You now have all the values needed to configure SSO in Hyperfox. Return to Step 1 to continue the setup.
This guide was last updated in March 2026. For questions, contact your Hyperfox administrator.
Last updated