Administration

Single Sign-On (SSO) Integration¶

TouchPoint supports Single Sign-On (SSO) integration with Microsoft Azure/Entra ID, allowing churches to leverage their existing identity management system for TouchPoint authentication.

Infrastructure Setup¶

This piece must be done by someone knowledgeable with the church’s Azure setup; TouchPoint cannot assist in this step other than to provide the general steps below.

Create a new App Registration within Azure / Entra for use with TouchPoint
Setup the redirect URLs as Single-page application Redirect URIs, substituting the URL that you use to access TouchPoint below:
- https://[TouchPointURL]/sign-in
- https://[TouchPointURL]/sign-out
Retrieve the Client Id from the app registration

TouchPoint Application Settings¶

In TouchPoint, configure SSO via the following settings, found in Admin > Advanced > Settings > Security > SSO. Configure the following settings:

Enable SSO Integration: True
Microsoft SSO Authority: https://login.microsoftonline.com/common
Microsoft SSO Client Id: [client id from above]
Microsoft SSO Redirect URL: https://[TouchPointURL]/sign-in
SSO URL: /Account/ExternalLoginCallback
Roles Requiring SSO: SSOLogin (can be named whatever you like)
SSO Link: Login with SSO
SSO Message: You must log in using SSO

Next, create a custom role named SSOLogin (or whatever was previously used) via Admin > Advanced > Lookup Codes > Miscellaneous > Roles.

Configure Users for SSO¶

In order to configure a user account to use/require SSO, the following should be set:

The username should be the email address from the authority provider

Note

By default, TouchPoint creates usernames using the first letter of the person’s first name, followed by their last name (i.e. jdoe). If someone already has an existing username, it will need to be changed to the email address they are using to log in (i.e. john.doe@domain.com). You can modify this on the System > User Account tab on a person’s record.
The user should be assigned the SSO Role entered above

You then should be able to log in to the system using the “Login with SSO” (or whatever text was entered in the settings). This will be available on the login pages and most anywhere login is allowed (e.g. quick-sign).

Note

The mobile application does not support SSO. You may wish to have SSO users create a My Data or other lower-privileged user for use in the mobile application.