Skip to content
  • There are no suggestions because the search field is empty.

Single Sign On (SSO) in ControlOffice

Many organizations use a central system to identify and authenticate users, such as Microsoft’s Entra ID. This is known as an Identity & Access Management (IAM) system. ControlOffice supports the OpenID Connect protocol to integrate with such an IAM system.

 

Hybrid Solution
ControlOffice supports a hybrid approach. This means it is possible to use both ControlOffice users and SSO users simultaneously.
An SSO user can be recognized by the checkbox “Logs in via SSO”. Such a user cannot log in with a username and password in ControlOffice but must use the “Single Sign-On” button on the login screen.

Manual User Entry
To allow users to log in via SSO, they must first be registered in ControlOffice. This can be done manually in the same way as a regular ControlOffice user: the user is added, assigned to user groups, and linked to an employee (or a new employee is created in ControlOffice).
The actual linkage is based on the username, which must match a value in one of the claims provided by the IAM system. This could be the user’s email address, for example. During setup of the IAM integration, you can configure which claim should be used.
Additionally, the “Logs in via SSO” checkbox must be enabled. This tells ControlOffice to treat the user as an SSO user.

Connecting to an IAM System
Client in IAM System
A client must be registered in the IAM system. The name for this varies depending on the IAM platform (in Entra ID, this is called an “App registration”).
This client only needs to support login and reading the user profile (in Entra ID, this is the API permission “User.Read”).
Ensure that the client is configured to generate both access tokens and ID tokens.

During the login process, ControlOffice will request the following OpenID Connect scopes:

  • openid

  • email

  • offline_access

Make sure the IAM system can handle these scopes.
You’ll also need a redirect URI, which is used to return to ControlOffice after a successful login via the IAM system. The redirect URI is the URL of your ControlOffice site followed by /signin-oidc, for example:
https://yourcompany.controloffice.nl/signin-oidc

Registering the Integration
The registration of the IAM integration must be done by the ControlOffice back-office; it cannot be configured from within ControlOffice itself.

To complete the integration, the following information must be registered in ControlOffice:

  • Authority: The authority or issuer URI
    For Entra ID, this is:
    https://login.microsoftonline.com/{tenant ID}/v2.0
    You can find the tenant ID in the Overview blade of the app registration.

  • Client ID: The ID that the IAM system uses to identify the client
    In Entra ID, this is a UUID labeled “Application (client) ID” in the Overview blade.

  • Client Secret: The secret used to authorize access to the client
    In Entra ID, a client secret can be created under Manage → Certificates & Secrets.

  • Username claim: The full name of the claim used to match against the stored username in ControlOffice
    To use an email address as the ControlOffice username, for example, use the claim:
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress