1. Halaxy Help Guide | New Zealand
  2. Account and Settings
  3. Integrations

Set up single sign-on

Single sign‑on (SSO) provides your organisation with a smooth and secure way to access Halaxy by allowing practice users to log in using their organisation‑provided credentials. When users attempt to sign in, they are securely redirected to the identity provider for authentication and, once verified, are automatically logged in without needing to re‑enter their details. This approach reduces password fatigue, improves security, ensures consistent access across the organisation, and gives system administrators greater control through authentication settings and simplified user management.

Who can do this?

Account owners only

Notice

Halaxy's single sign‑on currently supports Entra ID via the OpenID Connect (OIDC) protocol for authentication. Support for additional identity providers will be available in the future.

Requirements for SSO setup

  1. Halaxy account with account owner permission

  2. Entra ID tenant with permission to create or manage enterprise applications

Configure Single Sign-On with Microsoft Entra ID

Note

Before proceeding, have both Halaxy and Entra ID open on different browser tabs as the setup will involve switching between the two platforms.

  • Step 1: Copy the Callback URL in Halaxy

    1. Navigate to Settings > Users.

      Microsoft-SSO-01.png

    2. On the top-right corner of the users list, click the Icon-Lock.svg lock icon and in the pop-up, open the Single Sign-On tab to open the Single Sign-On Settings.

    3. Copy the Callback URL for use later.

  • Step 2: Configure a new app registration in Microsoft Entra Admin Center

    1. In Microsoft Entra Admin Center, navigate to Entra ID > App registrations > New registration.

      Microsoft-SSO-02.png

      1. Configure the following:

        Microsoft-SSO-03.png

        • Name: Set a name for the app (e.g. Halaxy SSO)

        • Supported account types: Set the type to "Single tenant"

        • Redirect URI: Set the platform to Web and paste the Callback URL copied from Halaxy.

      2. Click Register.

    2. With the new app registration open, under Manage, navigate to Authentication (Preview) > Settings tab.

      Microsoft-SSO-04.png

      1. Tick ID tokens (used for implicit and hybrid flows).

      2. Click Save.

    3. Under Manage, navigate to API permissions > Add a permission > Microsoft Graph > Delegated permissions.

      Microsoft-SSO-05.png

      1. Within the OpenId permissions category, tick the following permissions:

        • email

        • openid

        • profile

      2. Click Add permissions.

      3. In the same page, click on Grant admin consent, then Yes.

    4. Under Manage, navigate to Token configuration > Add optional claim.

      Microsoft-SSO-10.png

      1. For Token type, tick ID.

      2. Under Claims, tick email, family_name, and given_name.

      3. Click Add.

    5. Navigate to the Overview page of the same app registration.

      Microsoft-SSO-06.png

      • Under Essentials, copy Application (client) ID and Directory (tenant) ID. We will paste this in Halaxy later.

        Tip

        You can paste this into a notepad so you can copy it again later.

    6. Under Manage, navigate to Certificates & secrets > Client secrets tab > New client secret.

      Microsoft-SSO-07.png

      1. Configure the following:

        • Description: Add a description for the use of the client secret. (E.g. Halaxy SSO client secret.)

        • Expires: Set an expiry for the client secret.

          Important

          Keep in mind that once the client secret expires, you will need to create a new client secret, delete your SSO configuration in Halaxy and recreate the configuration with the new client secret.

      2. Click Add and copy the client secret value to paste in Halaxy later.

        Warning

        The client secret value will only be shown once in this screen and cannot be revealed again later. Make sure to copy the Value and NOT the Secret ID!

  • Step 3: Configure the single sign-on settings in Halaxy

    1. In Halaxy, go back to the Halaxy Single Sign-On Settings.

      Microsoft-SSO-08.png

      1. Paste the following values copied from Entra ID:

        • Client ID: Paste the Application (client) ID taken from Entra ID.

        • Tenant ID: Paste the Directory (tenant) ID taken from Entra ID.

        • Client Secret: Paste the client secret value taken from Entra ID.

      2. Click on Test Connection. This will redirect you to the Microsoft log in page. Login to Microsoft using your company account.

        If the connection is successful, you will be redirected to Halaxy users page with a successful banner.

        If the connection failed, review your Tenant ID, Client ID, and Client Secret.

    2. In the Halaxy users page, click the Icon-Lock.svg lock icon and navigate to the SSO tab again.

      1. Microsoft-SSO-09.png

        Configure the final settings:

        • SSO Status: Set to Active.

        • Authorise login via: Set Password & SSO to allow users to log in using either their Halaxy password or their Microsoft account. Otherwise, set this option to SSO for Microsoft accont only.

          Note

          Account owners will always have the ability to login using their password, even if this setting is set to SSO only.

      2. Click Save. Microsoft SSO is now set up in your practice group.

  • (Optional) Step 4: Configure allowed users in your Microsoft Enterprise App

    You can further configure to only allow specific users to login using SSO.

    1. Navigate to Microsoft Entra Admin Center > Enterprise applications > open your app > Properties tab.

    2. Set Assignment required to Yes.

      Microsoft-SSO-11.png

      Note

      Setting this to No will allow all your Microsoft users to login to Halaxy provided that they have a matching login email address in Halaxy.

    3. Click Save.

    4. Under Manage, navigate to Users and groups and click Add user/group.

    5. Click Users and groups, then tick all the users and groups you want to allow access to SSO.

    6. Click Select, then Assign.

Reference

Updated

Was this article helpful?