# Single Sign On (SSO)

If you would like SSO enabled for your organization's service desk, please contact TicketLog support.

Single Sign On with TicketLog is only available:

* With TicketLog Pro
* For service desks with a [custom domain](https://docs.ticket-log.com/documentation/administrators-guide/custom-domain)
* For Microsoft Entra ID as your identity provider (Idp)

## Setup SSO with Entra ID

To setup SSO on your Entra ID tenant, follow these steps:

1. Add a new App Registration to Entra
   * Name it "TicketLog SSO"
   * Single tenant
   * Redirect URI (Web): <https://ticketappb2c.b2clogin.com/ticketappb2c.onmicrosoft.com/oauth2/authresp>&#x20;
   * Record the **Application (client) ID**
2. Create a Secret
   * Select **Certificates & secrets**, and then select **New client secret**.
   * Enter a **Description** for the secret, select an expiration, and then select **Add**.
   * Record the **Value** of the secret
3. Assign users
   * Either add users and groups to the application who you want to have access to TicketLog, or set 'Assignment Required' to No.
   * Note, this does not automatically create TicketLog accounts. Each account is created at the time of first sign in to TicketLog.
4. Set branding & properties (optional)
   * Set a logo and homepage for the application. This can be used in your Enterprise My Apps page (additional configuration is required).
5. Add token claims
   * Select **Token configuration**.
   * Select **Add optional claim**.
   * For the **Token type**, select **ID**.
   * Select the optional claims to add:  `email` ,`family_name` and `given_name`.
   * Select **Add**.
   * If **Turn on the Microsoft Graph profile permission (required for claims to appear in token)** appears, enable it, and then select **Add** again.
6. Pass details to TicketLog
   * Pass the following details to TicketLog:
     * **Application (client) ID** from above
     * Secret **Value** from above
     * Tenant **primary domain**
       * This is not the name of the tenant.
       * In Azure portal or Entra Admin portal, primary domain appears here:

         <figure><img src="https://2014854803-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FxDo3MABoirR9g57aZyJ1%2Fuploads%2Fgt2kMvnkLIN4e76Yt18L%2Fimage.png?alt=media&#x26;token=260d359e-cd74-4fdc-9639-88f87b4a69b9" alt="" width="563"><figcaption></figcaption></figure>
       * If you don't have a primary domain, we can also accept your \*.onmicrosoft.com domain or your Tenant ID. However, a custom domain name is better as it provides a hint to the login process to improve the sign-up and sign-in process.

Please note:

* When adding users to Entra, ensure you also set the Email property. Doing so will simplify the user's signup experience.
* When users first sign in to TicketLog using SSO, they will be faced with a signup screen. They need to confirm their email address by sending a verification code.
* Please instruct users to follow the on-screen instructions, and ask they do NOT alter the email address.