Who is this article for?

Users and IT Administrators wanting to configure SSO for login.

IT Administrator permissions are required.

Disclose supports Single Sign-On (SSO) using SAML, allowing users at your organisation to log in using their existing company credentials via your Identity Provider (IdP), such as Microsoft Entra ID.

1. Understanding the setup process

This guide covers the setup process from two perspectives:

• The customer's IT or user administrator, who configures the Identity Provider and manages user accounts in Disclose
• The Ideagen support engineer, who configures the SSO connection on the Disclose application back end

Both sides must complete their steps before SSO will work. Coordinate with your Ideagen support contact throughout the process.

2. Agreeing initial details before configuration

Before configuring SSO, agree the following with your Ideagen support contact:

• The name and email address of the technical contact at your organisation (the person Ideagen will liaise with)
• The SSO Tenant Name that will be used — this will normally be the company name or some abbreviation thereof, without spaces or punctuation (for example, 'Big Company Ltd' might become 'bigcompany', or Able, Baker & Charlie Chartered Accountants might become ABCCA)

3. Configuring your Identity Provider

Ideagen will supply the following values on request, but they follow a predictable format once your SSO tenant name is agreed:

• Service Provider ID (Entity ID): https://disclose.ideagenpentana.com/[SSO tenant name]
• Assertion Consumer Service (ACS) URL: https://disclose.ew2.ideagenpentana.com/SSO/ACS/[SSO tenant name]
• Email Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
• First Name Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
• Last Name Claim: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Note: The claim URIs above are the defaults. If your IdP uses different attribute names, let your Ideagen support engineer know.

Sign Authorisation Requests, Want Assertions Signed, and Encrypt Assertions all default to OFF. Specify if any of these should be set to ON.

4. Providing your metadata to Ideagen

Once your IdP application is set up, send your Ideagen support contact either:

• A federation metadata XML file, or
• A metadata URL

Ideagen will use this to complete the Disclose-side configuration.

5. Understanding user account requirements

SSO users are identified in Disclose by their UPN (User Principal Name), stored as a field called SyncID. This means SSO accounts and manually-created accounts are treated as different users, even if they are the same person.

Before going live with SSO, review all existing user accounts in Disclose and identify which scenario applies:

• Users created manually in Disclose: These accounts cannot be used for SSO. Each user must be re-created, either by letting them log in via SSO (which auto-provisions a new account) or by importing them via CSV prior to their first login attempt. Assign licences and group memberships to the new accounts.
• Users imported via CSV, but SyncID does not match their UPN: Disclose will treat these users as new when they log in via SSO and auto-provision a new account. Re-import the users with the correct UPN, then assign licences and groups.
• Users imported via CSV and SyncID matches their UPN: No action needed. These users can log in via SSO immediately.

Important: If you have manually-created users, do not simply enable SSO without deciding on a user migration strategy. A user who logs in via SSO without a matching SyncID account will be auto-provisioned as a brand new user with no licence or group memberships. Note that SyncIDs are case sensitive.

6. Migrating existing users

Where migration is needed, follow these steps before SSO goes live:

1. Review current users' group memberships and licence assignments in Disclose.
2. Prepare a CSV file of all users to be migrated, with their correct UPN as the SyncID, and their group membership.
3. Import the CSV into Disclose.
4. Coordinate with your Ideagen support contact to enable SSO.
5. Once SSO is confirmed working, revoke licences from the old user profiles.
6. Assign licences to the new user accounts.

Other considerations for migrating users:

• Restricted clients: Some clients are restricted to specific users or groups. Before starting, check if clients are restricted and assign the new users accordingly before switching.
• Comments: Users can leave comments within answer sets. Only the comment's creator can edit or delete it, so comments made by an 'old' user cannot be changed by their new one.
• Offline answer sets: If using offline answer sets, ensure they are set online before switching users.

Note: Guidance on importing users via CSV is in the article 'Importing clients using a CSV file'.

7. Sharing the user login URL

Once SSO is enabled, your users will log in at:

https://disclose.ew2.ideagenpentana.com/Account/Login/[SSO tenant name]

Share this URL with your users once the setup is complete and tested.

8. Configuring the back end (Ideagen Support)

To configure SSO on the Disclose back end:

1. Log in to Disclose as a system administrator.
2. Navigate to System Administration.
3. Select Tenants.
4. Select the relevant tenant.
5. From the action menu, select Configure SSO.

6. Populate the fields as follows:

   Setting	Value / Description
   SSO Enabled	ON
   SSO Contact Email	[Technical contact email] (from customer)
   SSO Tenant Name	[SSO tenant name] (agreed with customer)
   Disclose Service Provider ID	https://disclose.ideagenpentana.com/[SSO tenant name]
   Identity Provider ID	Entra ID example: https://sts.windows.net/[tenant GUID]/
   Sign Authorisation Requests	OFF (default) — enable only if IdP requires it
   Want Assertions Signed	OFF (default) — enable only if IdP requires it
   Encrypt Assertions	OFF (default) — enable only if IdP requires it
   SSO Service URL	Entra ID example: https://login.microsoftonline.com/[tenant GUID]/saml2
   Identity Provider X509 Signing Certificate (Base 64)	Value from customer metadata
   Disclose ACS	https://disclose.ew2.ideagenpentana.com/SSO/ACS/[SSO tenant name]
   Email Claim	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress (change if required)
   First Name Claim	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname (change if required)
   Last Name Claim	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname (change if required)

7. Save the configuration.
8. Confirm the SSO login URL: https://disclose.ew2.ideagenpentana.com/Account/Login/[SSO tenant name]

Note: Sign Authorisation Requests, Want Assertions Signed, and Encrypt Assertions all default to OFF. Only enable them if the customer's IdP explicitly requires it — confirm with the customer before changing these settings.

In a successful configuration, the login screen will appear with an External Login button:

9. Troubleshooting common issues

The most common issues that require troubleshooting are as follows:

• The login dialogue does not have a Single Sign On button: The user is visiting the wrong URL.
• User logs in successfully but sees no checklists: This is expected behaviour. A user logging in with SSO will be accessing as a new user, unless they were imported via CSV with the same SyncID. Make sure the new user account has been allocated the correct licences and groups.
• User logs in successfully, but cannot see or add checklists and appears to be deleted: Refer to the article 'Ideagen Disclose: SSO user accesses the system, cannot see or create checklists / answer sets, appears to be deleted' for more information.

Where additional troubleshooting is required, it is useful to:

1. Enable SSO Logging in the tenant admin screen.
2. Ask a user to log in.
3. Review the Disclose logs for the resulting error message.