This configuration ensures users logging in through SSO are limited to those connected to your organization’s Microsoft Entra tenant. Follow these steps to configure OIDC Single Sign-On (SSO) through Microsoft Entra ID for Dispel.
Register a New App in Azure
Log in to the Azure portal.
Search for App Registrations in the search bar and open the service.
Click + New Registration.
Name: Enter a descriptive name for the app (e.g., Dispel SSO).
Supported account types: Select Accounts in this organizational directory only.
Redirect URI: Leave blank for now; you will configure this later.
Click Register to create the app.
Configure Authentication Settings
Navigate to your newly registered app in Azure.
Go to the Authentication section.
Add the following Redirect URIs (select “Web” as the platform):
https://dashboard.dispel.io/client-app-launcher/oktaauth.dispel.io
https://dashboard.dispel.io/oauth/login-callbackAdd the Front-channel logout URL:
https://dispellogout/
Under Implicit grant and hybrid flows, check the following:
Access tokens
ID tokens
Save the changes.
Configure API Permissions
Go to the API Permissions section.
Enable the following permissions
Minimum Application Permissions:
Permission Name | Type |
Delegated |
Minimum Microsoft Graph Permissions
Permission Name | Type |
Group.Read.All | Application |
GroupMembers.Read.All | Application |
Group.Read.All | Delegated |
GroupMembers.Read.All | Delegated |
User.Read.All | Application |
Add Token Configuration
Navigate to the Token Configuration section.
Click + Add optional claim.
Choose the ID token type.
Select email to ensure user email addresses are included in the token.
Save your changes.
Expose an API
Go to the Expose an API section.
Click + Add a scope.
Add a new scope to define permissions for this application.
Follow the wizard to name and configure the scope as needed.
Generate Client Secret
Navigate to the Certificates & Secrets section.
Click + New client secret.
Provide a description and expiration period.
Copy the generated Client Secret—you will need this for the Dispel Dashboard configuration.
Retrieve App Details
In the Overview section of your app, locate:
Application (Client) ID: This is your Client ID.
Directory (Tenant) ID: This is the ID for your organization’s tenant.
Go to the Endpoints sub-tab and copy the OAuth 2.0 Authorization Endpoint. This will be your Authority URL.
Configure the Dispel Dashboard
Log in to the Dispel Dashboard as an Organization Admin.
Navigate to Settings → Authentication.
Fill in the OIDC integration fields:
Client Secret: Paste the client secret you generated in Azure.
Client ID: Enter the application (client) ID from Azure.
Authority URL: Use the OAuth 2.0 Authorization Endpoint from Azure.
Organization Identifier: Set a unique identifier for your organization (e.g., <Organization-Name>EntraID).
Test and Verify the Setup
Ask another user in your organization to attempt signing in through the SSO option (labeled “Okta” in this case) on the Dispel Dashboard.
Verify the login process works and access permissions are applied correctly.
Configure Custom User Indentifiers
By default Dispel authenticates to the "preferred_username" value from the Entra ID response. However, custom response fields can be used (e.g. "email" or "user_principal_name"). If you need a custom value please reach out to your Dispel representative or use the chat bubble in the bottom right for configuration.
Your OIDC SSO integration is now configured. For troubleshooting, ensure that token configurations, permissions, and redirect URIs are correctly set up in both Azure and the Dispel Dashboard.