Single Sign-On (SSO) Integration

Integrate your organization's identity provider with Exepron for seamless, secure authentication using OpenID Connect (OIDC) and other SSO protocols.

On this page

Overview

Single Sign-On (SSO) allows your users to authenticate with Exepron using their existing organizational credentials through your identity provider. This provides several benefits:

Enhanced Security

Centralized authentication with your existing security policies and MFA

Better User Experience

Users login once with their familiar corporate credentials

Simplified Management

Automatic user provisioning and deprovisioning through your IdP

Supported Protocols

Exepron supports the following SSO protocols:

  • OpenID Connect (OIDC) - Recommended for modern applications
  • OAuth 2.0 - For authorization-focused integrations
Recommendation: We strongly recommend using OpenID Connect (OIDC) for SSO integration due to its security features, standardization, and out-of-the-box compatibility with most identity providers.

Built-in SSO Providers

Exepron comes pre-configured with popular SSO providers that are available to all users by default:

Google

Sign in with your Google Workspace or Gmail account

Available Now

Microsoft

Sign in with your Microsoft 365 or Azure AD account

Available Now

Accessing Built-in Providers

Users can access these providers in two ways:

1. Login Screen

Built-in providers appear as buttons on the main login page:

https://proid.exepron.com/Identity/Account/Login

2. Profile Settings

After logging in with email/password, users can link their account to external providers:

  1. Navigate to Profile Settings → External Logins
  2. Click on the provider you want to link (Google, Microsoft, etc.)
  3. Authenticate with the external provider
  4. Your accounts will be linked for future logins

Self-Service SSO Management

Account administrators can now configure and manage their own SSO providers directly through the Identity Server administration interface, without requiring Exepron support.

New Feature: Self-service SSO management allows you to create, edit, and manage SSO providers for your account instantly.

Accessing SSO Provider Management

Navigate to the SSO Providers management page:

https://proid.exepron.com/Identity/Account/Manage/SsoProviders

Requirements:

  • You must be logged in to the Identity Server
  • You must have Administrator role (RoleID = 1) for at least one account

Creating an SSO Provider

Click the "Create New SSO Provider" button and fill in the following fields:

Field Required Description
Display Name Yes User-friendly name shown on the login page (e.g., "Acme Corp SSO")
Authentication Scheme Yes Unique identifier. Must start with a letter, only alphanumeric, underscore, and hyphen allowed (e.g., "AcmeCorp-SSO")
Authority URL Yes OpenID Connect authority URL from your IdP (e.g., https://login.microsoftonline.com/{tenant}/v2.0)
Client ID Yes Application/Client ID from your identity provider
Client Secret No Client secret if required by your IdP (stored securely)
Response Type No OAuth response type (defaults to "code")
Icon URL No URL to an icon displayed on the login button

Editing an SSO Provider

Click the edit button (pencil icon) on any provider to modify its configuration. All fields can be edited, including the Authentication Scheme.

Changing Authentication Scheme: When you change the Authentication Scheme name:
  • All existing user logins are automatically migrated to the new scheme
  • Callback URLs are automatically updated
  • Changes take effect immediately (no restart required)
  • Update your IdP configuration with the new callback URLs

Client Secret Handling

When editing, the client secret field shows a masked value with a lock icon:

  • Locked: Click to unlock and enter a new secret
  • Unlocked: Enter a new secret, or leave empty to keep the existing one

Enable/Disable Provider

Use the toggle button to enable or disable an SSO provider:

  • Enabled: Provider appears on the login page for your account
  • Disabled: Provider is hidden but configuration is preserved

Deleting a Provider

Click the delete button (trash icon) to remove a provider. Note:

  • You cannot delete a provider that is linked to SCIM clients - unlink them first
  • All user login associations with this provider will be removed
  • Users who only had this SSO method will need to register again or use another login method
Important: Deleting an SSO provider permanently removes all user login records associated with it. Users who were using this provider to log in will no longer be able to authenticate with it.

Callback URLs for Your IdP

When creating an SSO provider, configure these callback URLs in your identity provider:

Redirect URI (Sign-in callback):

https://proid.exepron.com/signin-{your-scheme}

Example: https://proid.exepron.com/signin-acmecorp-sso

Post-logout Redirect URI:

https://proid.exepron.com/signout-callback-{your-scheme}

Front-channel Logout URI (optional):

https://proid.exepron.com/signout-{your-scheme}
Dynamic Reload: SSO provider changes take effect immediately without requiring a server restart. Users can start using the new or updated provider right away.

Custom SSO Integration

Account administrators can configure custom SSO providers directly through the Self-Service SSO Management interface. This is the recommended approach for most organizations.

Self-Service First: Most SSO configurations can be completed by administrators without assistance. Use the Self-Service SSO Management section above for step-by-step instructions.

When to Contact Support

Contact customersupport@exepron.com only for:

  • Complex federation scenarios requiring special configuration
  • Custom claim mappings beyond standard OIDC claims
  • Troubleshooting integration issues after self-service setup
  • SAML-only providers (OIDC recommended)

Self-Service Configuration Process

To set up custom SSO for your organization:

1

Gather Required Information

Collect the OIDC configuration details from your identity provider (see Required Information section below)

2

Access SSO Provider Management

Navigate to Profile Settings → SSO Providers in the Exepron Identity Server

Direct URL: https://proid.exepron.com/Identity/Account/Manage/SsoProviders

3

Create Your SSO Provider

Click "Add SSO Provider" and enter:

  • Display Name (shown on login page)
  • Authentication Scheme (unique identifier)
  • Authority URL, Client ID, Client Secret
  • Optional: Icon URL for branding
4

Configure Your Identity Provider

Copy the Callback URL from Exepron and configure it in your IdP's redirect URI settings

5

Testing & Go-Live

Test the SSO flow with pilot users before rolling out to your entire organization. Changes take effect immediately.

Account-Specific SSO

When administrators create SSO providers through the Self-Service SSO Management interface, these providers are automatically account-specific. This means they only appear for users belonging to your account.

Account-specific SSO is useful for:

  • Enterprise clients with their own identity provider
  • Organizations requiring private SSO integration
  • Multi-tenant scenarios where each tenant has their own IdP

Account Context Parameter

To see account-specific SSO providers on the login page, users must include the account query parameter:

https://proid.exepron.com/Identity/Account/Login?account=YOUR_ACCOUNT_ID

Example:

If your account ID is 1234, your custom login URL would be:

https://proid.exepron.com/Identity/Account/Login?account=1234

Users accessing this URL will see:

  • Standard login form (email/password)
  • Built-in providers (Google, Microsoft)
  • Your custom SSO provider (only if configured for account 1234)

Required Information for SSO Setup

When configuring an SSO provider, you will need the following information from your OpenID Connect identity provider:

Authority URL

Description: The base URL of your OpenID Connect provider

Example: https://login.microsoftonline.com/{tenant-id}/v2.0

Also known as: Issuer URL, Discovery Endpoint Base

Client ID

Description: Your application's unique identifier registered with the identity provider

Example: a1b2c3d4-e5f6-7890-abcd-ef1234567890

Also known as: Application ID, App ID

Client Secret

Description: Your application's secret key for secure communication

Example: Abc123Def456Ghi789...

Security: This will be stored encrypted in Exepron's database

Response Type

Description: The OAuth 2.0 / OIDC flow to use

Supported values:

  • id_token - Implicit flow (most common)
  • code - Authorization code flow
  • code id_token - Hybrid flow

Recommended: id_token for simplicity

Remote Sign-Out Path

Description: The endpoint for remote sign-out (optional)

Example: /signout-callback-oidc

Purpose: Enables single logout across all applications

Display Name

Description: The name shown to users on the login button

Example: "Acme Corporation SSO", "Company Login"

Tip: Keep it short and recognizable for your users

Icon URL (Optional)

Description: URL to an icon displayed on the login button (28×28 pixels)

Format: HTTP or HTTPS URL to an image file

Example: https://yourcompany.com/logo.png

Tip: For best results, use a square image (e.g., 56×56px or smaller) that scales well to 28×28 pixels.

Callback URLs to Configure in Your IdP

You'll need to register these callback URLs in your identity provider:

Redirect URI (Sign-in callback):

https://proid.exepron.com/signin-oidc

Post-logout Redirect URI:

https://proid.exepron.com/signout-callback-oidc

Authentication Flow

Understanding how SSO authentication works with Exepron:

SSO Login Process

  1. User Initiates Login

    User clicks on the SSO provider button or accesses the direct SSO URL using the provider's unique ID (GUID) from the SSO Providers table

    https://proid.exepron.com/Identity/Account/SsoLogin?id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  2. Redirect to Identity Provider

    Exepron redirects the user to your identity provider's authentication page

  3. User Authenticates

    User enters credentials (and MFA if required) at your IdP

  4. IdP Returns ID Token

    Upon successful authentication, IdP redirects back to Exepron with an ID token containing user information

  5. Exepron Validates Token

    Exepron validates the ID token signature and claims

  6. User Mapping

    Exepron maps the external user ID (from the sub or name identifier claim) to an Exepron user account

  7. Session Created

    User is logged into Exepron and redirected to the application

Required Claims

Your identity provider must return these claims in the ID token:

Claim Description Required
sub or nameidentifier Unique external user identifier (used for account mapping) Yes
email User's email address Recommended
name User's full name Recommended
given_name User's first name Optional
family_name User's last name Optional

User Provisioning and Mapping

There are two methods to provision users and map their SSO identity to Exepron accounts:

Method 1: Manual Provisioning

Account administrators can manually create and map users:

  1. Create the user account in Exepron through the admin interface
  2. User logs in for the first time using SSO
  3. Exepron automatically links the external identity to the existing user account based on email matching
Email Matching: When a user logs in via SSO for the first time, Exepron looks for an existing user with the same email address. If found, the external identity is automatically linked to that account.

Method 2: Automated Provisioning via SCIM

For larger organizations, use SCIM (System for Cross-domain Identity Management) for automated user provisioning:

  • Automatic user creation when assigned in your IdP
  • Automatic user deactivation when removed from your IdP
  • Attribute synchronization (name, email, etc.)
  • Group membership management
Critical - objectId Mapping Required: When configuring SCIM provisioning, you must map the objectId attribute (Azure AD) or equivalent unique identifier from your IdP to the SCIM externalId field. SSO uses this identifier to match authenticated users to their Exepron accounts. If you use a different attribute, SSO login will fail after SCIM provisioning.

For complete SCIM configuration instructions, see the SCIM User Provisioning Guide.

External Login Management

Users can view and manage their linked external logins in their profile:

  1. Navigate to Profile Settings → External Logins
  2. View all connected identity providers
  3. Add new external logins
  4. Remove existing external logins
Important: If a user removes all authentication methods (password and external logins), they will not be able to log in. Ensure users have at least one valid authentication method.

Testing & Troubleshooting

Testing Your SSO Integration

After configuring your SSO provider, follow these steps to test:

1

Access the SSO Login URL

Use the direct SSO URL (copy it from the SSO Providers table by clicking the copy icon next to the provider ID):

https://proid.exepron.com/Identity/Account/SsoLogin?id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Or, for account-specific login page showing the SSO button:

https://proid.exepron.com/Identity/Account/Login?account=YOUR_ACCOUNT_ID
2

Verify Redirection

Ensure you're redirected to your identity provider's login page

3

Authenticate

Log in with a test user account

4

Verify Success

You should be redirected back to Exepron and logged in successfully

Common Issues and Solutions

Provider button doesn't appear on login page

Possible causes:

  • Provider is not enabled (Enabled = false)
  • Provider is not visible (Visible = false)
  • Account-specific provider requires ?account=ID parameter

Solution: Check the SSO Provider settings in Profile Settings → SSO Providers. Ensure the provider is enabled and visible. For account-specific providers, ensure users access the login page with the ?account=ID parameter.

Redirect loop or infinite redirect

Possible causes:

  • Incorrect callback URL configured in IdP
  • Cookie issues or browser privacy settings

Solution: Verify callback URLs match exactly, clear cookies, try different browser

"Invalid token" or authentication fails

Possible causes:

  • Incorrect Client ID or Client Secret
  • Clock skew between servers
  • Token signature validation failing

Solution: Edit your SSO provider in Profile Settings → SSO Providers to verify the Client ID and Client Secret are correct. Check that the Authority URL matches your identity provider's OIDC discovery endpoint. If issues persist, contact customersupport@exepron.com.

User logged in but account not found

Possible causes:

  • User not provisioned in Exepron
  • Email mismatch between SSO and Exepron account

Solution: Create user manually or set up SCIM provisioning

Support and Assistance

For assistance with SSO integration or troubleshooting:

Email Support

customersupport@exepron.com

Include your account ID and provider ID in your message

Quick Reference

SSO URLs

# Main login page (shows built-in providers)
https://proid.exepron.com/Identity/Account/Login

# Login with account context (shows account-specific providers)
https://proid.exepron.com/Identity/Account/Login?account=YOUR_ACCOUNT_ID

# Direct SSO login using provider ID (GUID format - secure)
https://proid.exepron.com/Identity/Account/SsoLogin?id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

# You can copy the direct SSO URL from the SSO Providers table
Provider ID (GUID): Each SSO provider has a unique identifier (GUID) that's displayed in the SSO Providers management table. Click the copy icon to get the direct SSO URL for your users. GUIDs are secure because they cannot be guessed.

Exepron Callback URLs (for IdP configuration)

# Sign-in callback
https://proid.exepron.com/signin-oidc

# Sign-out callback
https://proid.exepron.com/signout-callback-oidc

Contact Information

Customer Support

customersupport@exepron.com

For custom SSO setup, troubleshooting, and SCIM provisioning assistance