Single sign-on (SSO) is an authentication method that enables users to sign-in using the same credentials they have for their work account. Organization admins can contact [email protected] to enable SSO on ioTORQ LEAN by integrating their own identity provider (if supported).
Supported SSO Protocol
SSO on ioTORQ LEAN is based on the OIDC protocol using OAuth 2.0.
Supported Identity Providers
ioTORQ LEAN currently supports Microsoft Entra ID (formerly known as Azure AD) as the identity provider for SSO. Other identity providers may be added in the future.
Setting-up SSO
Setting-up SSO on ioTORQ LEAN is a 2-step process:
Configuring SSO in Microsoft Entra ID (by a Microsoft Entra ID administrator in your company)
After this step, you should now have access to three important credentials:
Microsoft Entra Tenant ID
Client ID (Application ID)
Client Secret
Enabling SSO in ioTORQ LEAN (by request)
Grant Admin Consent in Microsoft Entra ID
Configuring SSO in Microsoft Entra ID
Register ioTORQ LEAN in Microsoft Entra ID
You will need the involvement of a Microsoft Entra ID Administrator to setup SSO.
Sign in to the Entra Admin Center
Go to the Microsoft Entra Admin Center.
Sign in with an account that has administrative privileges.
Register a New Application
In the left navigation menu, go to Identity > Applications > App registrations.
4. Click + New registration.
Enter the following details:
Name: Choose a name for your application.
Supported account types:
Select Accounts in this organizational directory only (Single-tenant).
Redirect URI:
Enter a URL where authentication responses should be sent (
https://<your organization's URL>.iotorq-lean.com/oauth/complete/).Please note to have the trailing forward slash at the end of the url
/oauth/complete❌/oauth/complete/✅
5. Retrieve the Client ID and Tenant ID
After registration, you will be redirected to the application's overview page.
Copy the Application (client) ID – this is your Client ID.
Copy the Directory (tenant) ID – this is your Tenant ID.
6. Generate a Client Secret
In the left menu of your application page, go to Certificates & secrets.
Under Client secrets, click + New client secret.
Provide a description and select an expiration period. Set the expiration period to 730 days (24 months), or any other desired value
Click Add.
Copy the Value of the newly created secret – this is your Client Secret. (You won’t be able to see it again after leaving the page.)
7. Provide the three credentials to ioTORQ LEAN Support to enable SSO.
Summary of Retrieved Credentials
Credential | Location |
Tenant ID | App registrations → Directory (tenant) ID |
Client ID | App registrations → Application (client) ID |
Client Secret | App registrations → Certificates & secrets → Client secret value |
Only proceed to the next step below once SSO has been setup by ioTORQ LEAN Support
Logging in ioTORQ LEAN as a Microsoft Entra ID Administrator
As described in the Microsoft documentation, adding an OIDC-based SSO application requires signing-in to the application (ioTORQ LEAN) and granting consent.
If your tenant policy requires a Microsoft Entra ID Administrator to grant consent to applications, then your Microsoft Entra Administrator has to do the initial SSO authentication to grant admin consent. This assumes that the Microsoft Entra Administrator has an account in ioTORQ LEAN. If not, an account will be made and the user must activate their account.
Login to ioTORQ LEAN (the ioTORQ LEAN email must be the same as the one with Microsoft Entra ID admin privileges)
Check-off "Consent on behalf of your organization" to grant consent for the whole organization. If you do not have this checked off and you later decide that you want to grant admin consent, see "Granting Admin Consent" section.
Granting Admin Consent
For some tenants' end-users to use single sign-on, a Microsoft Entra administrator needs to grant admin consent. To grant admin consent, in Microsoft Entra go to Enterprise Applications, then select ioTORQ LEAN.
From the “ioTORQ LEAN Enterprise Application” page, go to Security > Permissions; and click “Grant admin consent for <tenant>”
This will open a new window where you are shown a consent box and prompted to accept permissions requested by ioTORQ LEAN to "Sign in and read user profile"
Once you click Accept, you will be taken back to the Azure Portal with a message, "Admin consent was successfully granted"
Permissions Required for Consent
All the permissions required by ioTORQ LEAN are necessary for single sign-on authentication. They are to ensure that the person attempting to access ioTORQ LEAN is truly who they claim to be and necessary for ioTORQ LEAN to verify whether they have the appropriate authorization to access pages or resources in ioTORQ LEAN.
(Optional) Limiting Access to Specific Users and Groups
You can allow only specific users and groups from your Microsoft Entra tenant to have access to ioTORQ EMIS by using the "Assignment required?" option in Microsoft Entra. To enable this option, in Microsoft Entra go to Enterprise Applications, then select ioTORQ EMIS.
This assumes you've already added ioTORQ LEAN as an enterprise application in your Microsoft Entra ID tenant. If not, see the section “Adding ioTORQ LEAN as an Enterprise Application”
From the “ioTORQ LEAN Enterprise Application” page, go to Manage > Properties; and set “Assignment required?” to “Yes”
Adding and Removing Users
Once “Assignment required?” is set to “Yes”, access to ioTORQ LEAN will be limited to what's specified under “Users and groups”,
You can add or remove a user/group by using the buttons highlighted red. To remove a user, you first have to select the users/groups to remove. For more info, see Azure's official documentation.
Additional Support
If you have other questions and need additional support, email [email protected]