Single Sign-On (SSO) Setup
Overview
Single Sign-On (SSO) lets your users sign in to eMabler Connect with their existing corporate identity provider — no separate eMabler password.
Any OIDC-compliant identity provider is supported, including Microsoft Entra (Azure AD), Keycloak, Okta, Auth0, and others. eMabler federates the login through Azure AD B2C.
User accounts (operators), roles, and permissions are managed inside eMabler Connect. Your IdP only handles authentication; it does not need to maintain group-to-permission mappings. This also means that each operator still needs to be added through Connect, adding a new user to the IdP does not automatically give the user any Connect access.
1. What eMabler needs from you
To configure SSO for your organization, please share the following:
OIDC metadata URL — the OpenID Connect well-known URL of your IdP. Examples:
Entra:
https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configurationKeycloak:
https://<host>/realms/<realm>/.well-known/openid-configuration
Client ID and client secret — OAuth 2.0 client credentials issued by your IdP for eMabler to use.
2. What you need to configure in your IdP
Add the following redirect URI to your IdP's app/client registration. This is the standard Azure AD B2C reply URL — no further allowlisting is required.
Test:
https://emablertest.b2clogin.com/emablertest.onmicrosoft.com/oauth2/authrespProduction:
https://emablerb2c.b2clogin.com/emablerb2c.onmicrosoft.com/oauth2/authresp
3. Choose how your users will reach the SSO login
Pick one routing mechanism:
Option A — Dedicated SSO link. Users go to a dedicated URL such as
https://connect.emabler.io/login/<your-organization-name>and are taken straight to your SSO sign-in.Option B — Email-domain mapping. Users sign in at the standard Connect login page; emails matching your registered domain (e.g.
@customer.fi) are automatically routed to your SSO. Best if all users in the IdP share a email domain.
Tell eMabler which option you prefer, plus:
Option A: the organization slug to use in the URL
Option B: the email domain(s) to map
4. Choose which login methods are allowed
Pick one:
SSO only — users from your organization can sign in only through your IdP. Email + password is disabled for them.
SSO and email + password — users see two options on the Connect login page: Sign in with password and Sign in with organization account.
5. Operator (user) management after SSO is enabled
Operator accounts, roles, permissions, and site access are managed inside eMabler Connect, not in your IdP. SSO only handles the authentication step.
Adding a federated user
In Connect, go to Settings → Operators.
Click Add operators.
Enter the user's email address (must match the email they will sign in with at your IdP — see Identity matching below).
Under Sign-in method, select your organization's IdP. If your tenant has only one federated IdP configured, it is selected automatically. If both SSO and email + password are allowed, you can pick either or both.
Assign Roles, Permissions, Site Access, and a Home Site.
Click Add operators. The user can sign in immediately via SSO.
Identity matching
The user's identity in your IdP is matched against the operator record in Connect via either the email claim or the sub claim. eMabler will confirm which claim to use during setup.
⚠️ Note: changing a user's email address in your IdP will break their access
Removing access
Delete the operator in Connect (Settings → Operators). Disabling the user in your IdP also blocks sign-in but leaves the operator record in place in Connect.
6. How to send the details to eMabler
Send the items from section 1 and your choices from sections 3 and 4 to your assigned eMabler contact.
7. What happens next
eMabler configures the federated identity provider in Azure AD B2C and the routing / login-method settings in Connect for your organization.
eMabler runs a test sign-in with you in the test environment.
SSO is enabled in production. Your admins can then start adding operators (see section 5).