SSO Guide with Entra ID (formerly Azure AD)

**Adding Honestly from the gallery**

1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
2. Browse to Entra ID > Enterprise apps > New application.
3. In the Add from the gallery section, type Honestly in the search box.
4. Select Honestly from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
5. Open Honestly Enterprise Application and select ‘2. Set up single sign on’

6. In Honestly: Navigate to SSO Page:
    1.  Copy Honestly field ‘Honestly Entity ID’ to Azure field ‘Identifier (Entity ID)’
    2.  Copy Honestly field ‘Honestly ACS URL’ to Azure field ‘Reply URL (Assertion Consumer Service URL)’

7. In Azure:
    1.  Copy Azure field ‘Login URL’ to Honestly field ‘Your provider's SSO URL’
    2.  Copy Azure field ‘Microsoft Entra Identifier’ to Honestly field ‘Your provider's Entity ID’

8. In Azure:

1. 1. Download SAML Certificate ‘Certificate (Base64)’.
   2. Open with text editor and copy contents(including ‘-----BEGIN CERTIFICATE-----’ and ‘-----END CERTIFICATE-----’ to Honestly field ‘x509 Certificate’

9. In Honestly click on ‘Save’ at the bottom

 

**User and group assignment (important)**

For your SSO integration to work correctly, you need to assign all relevant users and/or groups to the Honestly app in your identity provider (in Microsoft Entra ID).

Only users and groups that are explicitly assigned to the SSO setup will be able to sign in to your Honestly organization.

Make sure that all roles that require access to Honestly (for example, admins, HR, managers, employees) are correctly assigned in the identity provider.

If assignments are missing, affected users will not be able to log in, even if SSO is technically configured correctly.

---

**SSO types with Honestly**

There are two main SSO types you can use with Honestly:

1. **Honestly-initiated SSO**

In this flow, users start the login directly on the Honestly login page.

Flow:

- Users enter their email address on the Honestly login page.

- No password needs to be entered in Honestly.

- Authentication is handled by the identity provider.

This option is useful if users are used to logging in directly via the Honestly login page.

2. **Identity Provider-initiated SSO (IdP-initiated)**

In this flow, users start the login directly from the identity provider (for example, Microsoft Entra ID) instead of the Honestly page.

Flow:

- Users click the Honestly app in the identity provider.

- The email address is automatically passed from the identity provider to Honestly.

- Users do not need to manually enter their email address in Honestly.

This option is particularly convenient if you want to manage access centrally via your identity provider (for example, via an app portal or dashboard).

**Note on the “User Access URL” (for IdP-initiated login)**

In your identity provider, you can find a *User Access URL* (or similarly named URL) in the configuration of the Honestly app.

This URL is used when users start the login directly via the identity provider (IdP-initiated login). Make sure that this URL is configured correctly and is accessible for the intended users and/or groups so that the login flow works smoothly.