1. Configure Your Microsoft EntraID
Sign into Microsoft: Select
Sign in with Microsofton the Dispel Dashboard https://dashboard.dispel.io/login.This will redirect you to log into your admin account on Microsoft.
Enable Dispel to Access Your SSO Accounts: After logging into your admin account in Microsoft, you will be prompted to enable SSO for your organization on the Dispel platform. Check
Consent on behalf of your organizationand hitAccept.Note: This configures your Dispel Dashboard to use Dispel's Registered App for SSO with Azure's Entra ID. Only invited users can create Dispel accounts, regardless of EntraID membership. Once created, users authenticate via their Microsoft account.
OIDC Integration Set up: The above form of SSO checks against the user’s O365 account. If desired, Dispel can also provide a standard OIDC integration with your organization’s specific EntraID. This would limit allowed SSO users to only those with a login connected to your organization’s EntraID.
Register New App: On Azure, search for the
App Registrationsservice. Click on+ New Registration.
Configure the EntraID API Functionality: Select your new Dispel App and navigate to the
Authenticationpage.
Add the login-callback and app-launcher URIs
https://dashboard.dispel.io/client-app-launcher/oktaauth.dispel.io
https://dashboard.dispel.io/oauth/login-callbackAdd the Front-channel logout URL
https://dispellogout/
Check
Access TokensandID Tokens.Check
Accounts in this organization directory only.Save the settings
Add API Permissions: Select
API Permissionsfor the Dispel App and enable these OpenID Permissions:email,openid, andprofile. Note thatoffline_accessis no longer needed.
Add Token Configurations: Select
Token Configurationsand allowemailin the ID token type to address the user by email.
In
Expose an API, create a new scope.
2. Configure the Integration on Dispel's Dashboard
Log into the Dispel Dashboard as an organization admin, and navigate to
Settings→Authentication. TheOktasetup here refers to all OIDC integrations.
Client Secret: generated in Azure app registration pageClient ID: generated in Azure app registration pageURL: This is theAuthority URLin theEndpointssub-tab of theOverviewsection of the Dispel App in your Azure Instance.Organization Identifier: (<Organization-Name>EntraID for example) for individuals to use when logging in via “Okta” on the Login Page.
3. Test an SSO Sign-In
Have another user in your organization’s Azure AD attempt to sign in with
Oktaon the Dispel Dashboard to verify success.
^^ This is the Organization Identifier we set in the Dispel Dashboard settings earlier. ^^
4. Enforce SSO for your Organization
Enforceable SSO prevents users from gaining access to the platform by any means other than your organization’s approved Single Sign-On mechanism.
Logged into an Organization Admin Account, select the
Settings>Securitytabs.
To enforce SSO, check the Single Sign-On box in the security settings. This will require all of your organization’s users to sign in via their own Microsoft EntraID account. Note that in order to enforce this authentication method, the pre-requisite is setting up your SSO as an admin.
To test the enforcement of SSO, return to the Dispel Dashboard Login page https://dashboard.dispel.io/login and attempt to login with your Dispel Credentials. You should receive a generic login error, because i) your account is now configured to authenticate with SSO, and ii) you do not want intruders to know what the next step would be for a login attempt.