Set up single sign-on (SSO)

Overview

Multi-factor authentication (MFA) is required for Government-connected software. It enhances security by requiring a second form of verification alongside your password.  

If you have Microsoft accounts already secured with MFA, your organisation can opt for single sign-on (SSO) via Microsoft Azure AD B2C instead of Authenticator App logins.

Once SSO is set up, TaxLab support will provide your organisation with a unique login URL. This link allows your team to set up their accounts and securely access TaxLab using their Microsoft credentials.

Step 1: Register an Application

1. Open Microsoft Azure AD B2C.
2. In the left hand panel > Under Manage > Select App registrations.
3. Select New registration.
4. In Register an application:
   • Enter a Name for the application.
   • Choose the supported account types (Recommended: Accounts in this organizational directory only).
   • Enter the following Redirct URI:
     • Select Web from the drop down menu.
     • Enter https://taxlabauth.b2clogin.com/taxlabauth.onmicrosoft.com/oauth2/authresp
5. Select Register.

Step 2: Configure authentication settings

1. In the left hand panel > Under Manage > select Authentication. 
2. Under Front-channel logout URL > enter the following logout URL:
   • https://taxlabauth.b2clogin.com/taxlabauth.onmicrosoft.com/B2C_1_SigninAndSignUp/oauth2/v2.0/logout
3. Under Implicit and hybrid flows > Select the check boxes for: 
   • Access tokens (used for implicit flows)
   • ID tokens (used for implicit and hybrid flows)
4. Select Save.

Step 3: Expose an API - Add a scope

In the Microsoft identity platform, a scope represents a delegated permission for a specific resource, defining what an application (e.g., TaxLab) can access on behalf of the authenticated user (e.g., email, family_name, given_name).

Configuring the scope enables the application (e.g. TaxLab) to request and retrieve the necessary user claims during the authentication process to facilitate secure login.

1. Under Manage > select Expose an API.
2. Select Add a scope.
3. In Add a Scope > Select Save and Continue to confirm the Application ID URI. (This will automatically populate with the Client ID).
4. To create the scope fill in the following information:
   • Scope name. (The name is up to you - please see an example below).
   • Who can consent? (Recommended: Admins and users).
   • Admin consent display name & description.
   • User consent display name & description.
   • State should be enabled.
5. Select Add scope.

Example:

• Scope name: user_impersonation.
• Admin consent display name: Access TaxLab application.
• Admin consent description: Allow the application to access TaxLab on behalf of the signed in user.
• User consent display name: Access TaxLab application.
• User consent description: Allow the application to access TaxLab on your behalf.

Step 4: Token configuration - Add option claims

1. Under Manage > Select Token configuration.
2. Select Add optional claim.
3. In the Add optional claim panel > Select ID as the Token type.
4. Select the check boxes for:
   • email
   • family_name
   • given_name
5. Select Add.
6. Review and select the check box for Turn on the Microsoft Graph email, profile permission.
7. Select Add.

Step 5: Send required information to TaxLab Support

Once the App registration and settings have been configured, TaxLab requires the following information to complete the set up:

• OpenID Connect metadata document:
  • Located in Overview > Select Endpoints > the OpenID Connect metadata document will end in /.well-known/openid-configuration.
• Client ID.
  • Located in Overview > Under Essentials > Copy Application (client) ID.

Please contact support to discuss options to securely provide these details.