Note: This is an advanced feature only available for customers on the Enterprise plan. Implementation requires advanced technical knowledge.
Rex supports the ability to let users login with their external authentication provider via Open ID Connect.
This means, after entering their email on the Rex login screen, users will see a button labelled “Login via {YOUR_APP}” which - when clicked - will navigate to your external authentication provider and redirect back to Rex upon successful login.
This is a fantastic quality of life improvement and helps avoid users worrying about forgetting their Rex password.
There are some limitations to keep in mind:
- Currently, the only provider supported is Azure Active Directory/Office 365. Support for other providers - such as Google - will be available as a future improvement.
- This functionality only enables a convenient login method, and does not support remote provisioning or disabling of users.
Users will still need to be invited from Rex, accept an invite from Rex, and
provide a password, before being able to log in via SSO. The feature exists to
provide user convenience for easier logging in, rather than serving as a full
blown alternative to Rex’s user management system. - With SSO active, all users will still be able to fallback to a password login if they choose.
- SSO is not currently supported for logging into Pocket. This limitation will be addressed later in 2024.
How to setup Azure Active Directory to use Rex SSO
To proceed with Open ID Connect setup we’ll need you to follow the following steps and then provide us with the 5 pieces of information requested below.
If you have any issues obtaining any of this, please let us know.
- Register app: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
- Provide any name for the application (users will see this when logging in via azure)
- Leave redirect uri empty for now
- Go to the registered application, then:
- Go to “API permissions” and add the following permissions:
- Microsoft Graph
- User.Read - Sign in and read user profile
- openid - Sign users in
- Go to “Overview” and copy the “Application (Client) ID”
- Go to “Certificates and Secrets” and create a new “Client secret” that doesn’t expire.
- Go to “Branding > Home Page URL” and set it to https://auth.rexsoftware.com/
- Go to “Authentication” and add the following Redirect URIs:
- https://auth.rexsoftware.com/api/v1/oidc/callback
- https://auth2.rexsoftware.com/api/v1/oidc/callback
- Go to “API permissions” and add the following permissions:
- Obtain your tenant id - https://o365hq.com/faq/how-to-find-your-office-365-tenant-id
- Provide us with the following details:
-
- Your tenant ID
- Your application (client) id
- Your client secret
- The email domain(s) or specific email addresses you wish to have the SSO login method enabled for
- A screenshot of the Overview, Authentication and API Permissions screens.
- Label and logo you want for the "Login via {X}" button on the login screen
- Logo should be white, transparent png, 1:1 ratio