Single Sign-On (SSO) Integration — Microsoft Entra

If you have an Enterprise account in Row Zero, you can configure single sign-on (SSO) in Microsoft Entra using OpenID Connect (OIDC).

Row Zero is configured to use the OpenID Connect implicit flow for single sign-on with Microsoft Entra (response_mode=form_post and response_type=id_token). We request openid profile email scopes and assume email_verified = true for all users logging in through Microsoft Entra enterprise integrations.

Row Zero is not yet listed in the Entra ID gallery, so you will create a custom App registration.

1. Create an App registration

  1. In the Microsoft Entra admin center, go to Applications > App registrations and select New registration.
  2. Use these settings:
    • Name: Row Zero
    • Supported account types: Accounts in this organizational directory only (Single tenant)
    • Redirect URI (optional)
      • Platform: Web
      • URI: https://auth.rowzero.io/login/callback
  3. Click Register.

2. Complete the App registration

Now, find the registration that you just created. In the Microsoft Entra admin center, go to Applications > App registrations > All applications and select Row Zero.

  1. Go to Overview
    1. Select Endpoints and find the OpenID Connect metadata document and copy the full URL. You will need to provide this to Row Zero for us to complete the integration.
    2. Under Essentials find the Application (client) ID and copy the full ID. You will need to provide this to Row Zero for us to complete the integration.
  2. Go to Branding & properties
    1. Find Upload new logo. You can click this link to download the Row Zero logo, and then upload it to Microsoft Entra.
    2. Set Home page URL to the URL given to you by Row Zero. It will look like https://rowzero.io/startlogin?connection=<CONNECTION_NAME>.
      • Note: This URL is different for every customer. You will need to replace CONNECTION_NAME above with an identifier that Row Zero will provide. Your Row Zero contact will tell you what URL to use for your integration.
    3. Find Publisher domain and click Update domain. Select Verify a new domain and set the Publisher domain to rowzero.io (https://rowzero.io). Download the microsoft-identity-association.json file under Step 1 and provide that to your Row Zero contact. We will make the necessary configuration change, and then you can click Verify and save domain.
  3. Go to Authentication
    1. Set Front-channel logout URL to https://rowzero.io/logout
    2. Under Implicit grant and hybrid flows click the checkbox to enable ID tokens (used for implicit and hybrid flows). You do not need to enable Access tokens.
  4. Go to API permissions
    1. Select Add a permission. Choose Microsoft Graph > Delegated permissions.
    2. Select the following permissions:
      • OpenID permissions
        • email
        • openid
        • profile
      • User
        • User.Read
    3. Click Grant admin consent for (your tenant) (Recommended)

3. Configure the Enterprise application

In the Microsoft Entra admin center, go to Applications > Enterprise applications > All applications and select Row Zero.

  1. Go to Properties
    1. Enabled for users to sign-in? Yes (Required)
    2. Check that Homepage URL and Logo match what you configured above.
    3. Assignement required? No (Recommended)
    4. Visible to users? Yes (Recommended)

4. Complete the Integration

Once you have finished configuring Microsoft Entra, contact us at Row Zero so that we can finish configuring the SSO integration on our end.

This is the information that we will need from you, from the steps above:

  1. The OpenID Connect metadata document URL (ends in /.well-known/openid-configuration)
  2. The Client ID for the application
  3. The microsoft-identity-association.json file for verifying our publisher domain

Note: You do not need to share a Client Secret because Row Zero currently uses the OpenID Connect implicit flow for single sign-on with Microsoft Entra.