How to configure Single Sign On with Microsoft Azure?

Introduction

This article describes how to register the application in the Azure domain and how to configure Single Sign On (SSO) in PerfectGym apps.

The Client Secret must be updated by your Organisation before the expiry date set for the Expiry Period in Step 8 below (annually, or biannually, etc.). If the Client Secret is not updated in PGM prior to expiry, no staff will be able to login via SSO

Instruction

Registering an application is the first step of configuring SSO.

1. Sign in to your Azure management portal. Οn the left-hand panel, click Active Directory. Click the title of the directory you want to configure SSO for. Click App registration.
2. Click on the New registration button and fill out the form with all the necessary information.
   Choose who can access the application (we recommend choosing the first option: Single Tenant).
   When finished, click Register. 

1. You will be moved to a view that contains all application information.
2. Grant implicit and hybrid flows

3. Add wildcard to the redirect URL
   https://{company}.perfectgym.com/*
   Using placeholder "*" you won't need to define separated URLs for PGM, PosWeb, and ClientPortal, however, defining placeholder "*" is possible only in the application manifest. You can find it at the bottom of the left-hand menu. The easiest way is to add temporary URL in wizard and change it in manifest later.
   The list of used callback redirect URLs (can be used instead of wildcard):

   • https://{company}.perfectgym.com/Pgm/Account/EntraIdResponseHandler
   • https://{company}.perfectgym.com/PosWeb/Login/AzureAD
   • https://{company}.perfectgym.com/PosWeb/Login/EntraId
   • https://{company}.perfectgym.com/ClientPortal2/api/auth/EntraId/SignInCallback/
   • https://{company}.perfectgym.com/ClientPortal2/api/auth/EntraId/SignInCallback/Kiosk
   • https://{company}.perfectgym.com/ClientPortal2/api/auth/EntraId/SignInCallback/Tablet

   The list of sign-out redirect URIs

   • https://{company}.perfectgym.com/Pgm/
   • https://{company}.perfectgym.com/PosWeb/
   • https://{company}.perfectgym.com/ClientPortal2/

   

4. Add permissions in the API permissions section.
5. Add [Client Secret]
   Copy the created [Client Secret] value, because it will be used in the next step.

6. 

7. Open PGM>Settings>System Settings

8. Copy the configuration into System Settings>System>Authentication section

   

9. Set the default employee position and default employee role for all new staff to be allocated on their first sign in (recommendation is to set the lowest position and role available to employees which can be changed to the employee's correct role at a later time).

How to log into the applications

PGM

In PGM, press the button Log in via Azure AD. This will take you to your company azure login page to sign in (if not already signed in).

POSWeb

In POSWeb, this is the same method as PGM. Press the button Log in via Azure AD. This will take you to your company azure login page to sign in (if not already signed in).

Client Portal

In the Client Portal, because it's for the club members, there is no Azure AD log in button like in PGM and PosWeb.

To log in in the employee mode, an employee must fill in the login form. As a login, the employee login (from PGM) should be used, usually same as the Entra ID login. As a password, a random text will be ok. After clicking the sign in button the application will initiate the SSO process.

FAQ

Q: What is the difference between Entra ID and Azure AD?

A: Microsoft Entra ID is the new name for Azure AD. The names Azure Active Directory, Azure AD, and AAD are replaced with Microsoft Entra ID.

Q: What fields on user account in Entra ID< are required in order for the SSO integration to work?

A: The required fields are: First name, Last name and Email.

Q: What will happen if an employee that previously signed in using login+password credentials starts using the Entra ID Single Sing On option?

A: If user previously signed in using login+password credentials and switches to Entra ID, then there will be an attempt to associate the Entra ID account with the existing PG account. There will be a search for an employee with the same email as the one from Entra ID. If the merge is successful, that user won't be able to sign-in using login+pass credentials any more. If no match will be found, a new employee account will be created.

Q: What will happen if an employee that never signed in to PG starts using the Entra ID Single Sing On option?

A: If user never signed in to PG and starts using the Entra ID SSO, a new employee account will be created in PG with the configured default employee position and role. There is no option to disable this behavior.

Q: Can I limit the Entra ID SSO option to members of a specific Entra ID user group?

A: Yes. You can restrict access to any enterprise application integrated with Entra ID so that only assigned users or members of specific groups can sign in.
To implement this, you must enable "Assignment required" in the application settings and then map the desired groups to the application.

• Implementation Resources

  • For enterprise applications: Follow the step-by-step guide on assigning users and groups via the Microsoft Entra admin center.

  • For custom app registrations: Learn how to restrict your app to a specific set of users within the Microsoft identity platform.

This feature generally requires a Microsoft Entra ID P1 or P2 license to apply group-based assignments to applications.

Q: After I used the SSO sign in option, I can't sign in using my login+password credentials

A: This is by design. Once the PG account is connected with the Entra ID account, the sign in using login+password is not allowed.

Q: In case of creation of a new employee account, what permissions will the employee have?

A: The newly created employee will be assign to a position and a role set in the configuration (System Settings>System>Authentication section)

Q: If I do some changes on the employee personal data (eg. first name) in PG, will the change be propagated to Entra ID?

A: PG apps have read-only access to Entra ID. If it changes later in Azure or PG, the change won't be synchronized between the systems.

Q: I've changed user's personal data in Entra ID, when will it sync to PG?

A: The user's personal data received from Entra ID is used only to create the user account (on the first Entra ID sign-in), changes won't be synchronized between the systems.

Q: What will happen if we deactivate or remove an employee in PG but not in Entra ID?

A: After deletion, the attempt to sign-in using Entra ID will fail. The employee account won't be reactivated or recreated.

Q: What will happen if we deactivate an account in Entra ID used by an employee?

A: A deactivated Entra ID account won't be able to sign in.

Q: How do I get a list of employees with Entra ID logins?

A: Go to PGM->Reports->All and search for the report 'Employees'.  This information is in the fields ExternalSystemEmployeeId and ExternalSystemType

You can pre-create an employee account in PGM, and the SSO will link to it. Alternatively, they can log in and update permissions or clubs for the account created after their first sign-in.