> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chamelio.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Entra ID – OIDC Setup

> Step-by-step guide to configure SSO via OpenID Connect (OIDC) from your Microsoft Entra ID tenant to Chamelio

This guide walks you through setting up SSO via OIDC from your Entra ID tenant to Chamelio. You will need the SSO Self Service link that Chamelio sends you before starting.

<Steps>
  <Step title="Get Started">
    Open the SSO Self Service link Chamelio provided. You will see the setup screen.

    Click **Get Started**.

    On the **Select Your Identity Provider** page, select **Entra ID**, then click **Next**.
  </Step>

  <Step title="Create an Application">
    The Self Service page guides you through creating an App Registration in Entra ID.

    1. In Entra ID, navigate to **App Registration** and select **New Registration**.
    2. Enter a **Name** for the application, e.g. `Chamelio`.
    3. Under **Supported account types**, choose **Accounts in this organization directory only (Default Directory only – Single tenant)**.
    4. Select **Register**.

    After registration, copy your **Application (client) ID** — you will need it in the next step.

    5. Navigate to **Authentication (Preview)** in the left-hand navigation and select **Add Redirect URI**.
    6. Under **Platform configurations**, select **Add a platform** and choose **Web**.
    7. Add the following Callback URL in the **Redirect URIs** field:

    ```
    https://auth.chamelio.ai/login/callback
    ```

    8. Select **Configure**.
    9. Navigate to **Certificates & secrets** and select **New client secret**.
    10. Enter a **Description** and set the expiration, then click **Add**.

    <Warning>
      Copy the client secret **Value** immediately — it is only shown once. Store it in a secure location.
    </Warning>

    Once you have the Client ID and client secret value, proceed to **Next** on the Self Service page.
  </Step>

  <Step title="Configure Connection">
    On the **Configure Connection** page, provide your Entra tenant details:

    * **Microsoft Entra ID Domain** — the primary domain of your Microsoft tenant (find it on the Entra homepage under Default Directory).
    * **Client ID** — the Application (client) ID you copied in the previous step. Do not paste the Secret ID.
    * **Client Secret** — the value of the newly generated client secret.

    Click **Create Connection**, then **Proceed**.
  </Step>

  <Step title="Assign Access">
    Navigate to **Enterprise applications** and select the application you created. Then select **Users and groups**.

    1. Select **Add user/group**.
    2. Under **Users**, select **None selected**.
    3. Choose the users you want to grant access, then click **Select**.
    4. Select **Assign**.
  </Step>

  <Step title="Test SSO">
    Click the **Test Connection** button. You will be redirected to the Microsoft sign-in process.

    <Info>
      Enable **Consent on behalf of your organization** during the test to ensure the login works seamlessly for all your users without individual consent prompts.
    </Info>

    A successful test shows user information being passed correctly. Review the attributes to confirm accuracy, then select **Done** to complete the setup.
  </Step>
</Steps>

## Additional Steps

<Accordion title="Configure a homepage for seamless login">
  To provide a seamless login experience via [https://myapps.microsoft.com/](https://myapps.microsoft.com/), configure a homepage URL in Entra to initiate the login.

  Chamelio provides an **Initiate login URL** with your SSO ticket. It looks similar to:

  ```
  https://app.chamelio.ai/login?connection=company-name-here
  ```

  Navigate to **App Registration** > your SSO app > **Branding & Properties**.

  Set the **Home page URL** to the Initiate login URL provided in your SSO ticket.
</Accordion>

<Accordion title="Limit application access">
  To ensure only assigned users in your organization can access Chamelio, navigate to **Enterprise applications** and select the application you created for Single Sign-On.

  Select **Manage > Properties**, then confirm that **Assignment required** is set to **Yes**.
</Accordion>
