SSO providers for Operator Control Panel

In the SSO providers for Operator Control Panel section, you can configure authentication providers for logging in to the Operator Control Panel (see Manager settings).

In the current platform version, the only supported SSO provider for the Operator Control Panel is Microsoft Entra ID. To use it, complete the following steps in advance:

  1. Create a Microsoft Entra ID account at https://entra.microsoft.com/.
  2. Add an application to Microsoft Entra ID with OpenID Connect support.
  3. Obtain credentials for SSO configuration.
  4. Create users who need access to the Operator Control Panel within the Microsoft application and assign them to groups.

When signing in to the Operator Control Panel using Microsoft Entra ID:

  1. The manager name is automatically updated to match your Microsoft account name.
  2. If there is no manager with that email, the platform automatically creates an account.
  3. Microsoft group-based access restrictions may apply.

In this article:

Creating an authentication provider

To add an authentication provider for the Operator Control Panel:

  1. Go to the SSO providers for Operator Control Panel section (see Navigation).

  2. Click Add. The Authentication Provider's Settings page is displayed.

  3. In the Provider list, select Microsoft Entra ID.

  4. Customize the button text on the login page for authorization through this provider:

    1. In the Button name on sign-in page field, enter default text. For example: Sign in with Microsoft
    2. Optionally, add localized button texts:
      1. Click Add localization. A new field group is displayed.
      2. In a list, select a language supported by the Operator Control Panel (see Managing language settings).
      3. Enter the button text in the selected language.
  5. In the Manager's Roles and Groups section:
    1. Skip the Activate role synchronization toggle. This feature is not supported in the current version.

      If a manage is inactive in the platform, login with the same email via an SSO provider is not possible.

    2. Choose a role for users who log in via this SSO provider but are not yet registered in the Operator Control Panel:

      An unregistered user will automatically receive a manager account in the Operator Control Panel. Their name and email will be taken from their Microsoft account, and invalid names will be automatically corrected.

      1. In the Set default role for new managers list, select the role to be assigned to all users regardless of their Microsoft group (see Managers' roles).
      2. Optionally, to restrict access to the Operator Control Panel and assign roles to users based on their Microsoft group:
        1. Click Add the user group. A new field group is displayed.
        2. In the Microsoft group ID field, enter the group's identifier from Microsoft.
        3. In the Manager's role in the group list, select the required role (see Managers' roles).
        4. Repeat for the rest of the required groups, assigning roles as needed.

          If a user is a member of several groups in Microsoft, the platform during registration assigns the role for the last one from the list.

          The specified groups restrict not only automatic registration of new users, but also the login to the Operator Control Panel for registered users. If at least one group is added, users from other groups and without a group will not be able to register or log in to the Operator Control Panel via this SSO provider.

  6. In the SSO Keys section:
    1. In the OAuth Client field, enter the client ID.
    2. In the OAth Authentication Flow list, select Authorization code.
    3. In the OAuth Client Type field, select Confidential.
    4. In the OAuth Client Secret field, enter the client secret.
    5. In the OAuth URL field, enter the redirect URL for the Operator Control Panel.
    6. In the OAuth Scope field, enter the required permissions.

      You can find the required values in Microsoft Entra ID under Identity > Applications > App registrations > <ActivePlatform application> > Endpoints.

  7. Click Create. The created authentication provider will now be available for login configuration in the Operator Control Panel (see Manager settings).

Viewing and updating authentication provider information

To view or update authentication provider settings for the Operator Control Panel:

  1. Go to the SSO providers for Operator Control Panel section (see Navigation). A list of authentication providers is displayed, including the following columns:
    • Provider — the name of the authentication provider.
    • Role synchronization — indicates whether role synchronization with the platform is enabled.
    • Default role — the role assigned by default to users logging in through this provider who are not yet registered in the Operator Control Panel.
  2. Click the name of the required authentication provider. The authentication provider settings page is displayed, similar to the creation process, but with the following restrictions: the Provider selection cannot be changed if it is used in the login configuration of the Operator Control Panel (see Manager settings).
  3. Modify the provider settings as needed and click Update.
  4. If you need to delete the authentication provider, click Delete and confirm the action. Deletion is not available if the provider is used in the login configuration of the Operator Control Panel (see Manager settings).