Who is this article for?

Administrators planning to implement Ideagen Hub for environments with Single Sign-On (SSO) using an external Identity Provider (IdP).

Administrator or IT Administrator access is required for some steps.

https://[your-tenant].auth.[region].amazoncognito.com/oauth2/idpresponse

You will receive your specific Redirect URI via email prior to migration.

1.1. Microsoft Entra

To update the Redirect URI:

1. Sign in to the Microsoft Entra Admin Centre as an Administrator.
2. Navigate to Azure Active Directory.
3. Open App registrations.
4. Select your Ideagen application.
5. Go to Authentication in the left-hand menu.
6. Locate the Web section (under Platform configurations). 
7. Click Add URI
8. Paste the Redirect URI provided by Ideagen.
9. Click Save.

1.2. Okta

To update the Redirect URI:

1. Sign in to your Okta Admin Console as an Administrator.
2. Navigate to Applications.
3. Click Applications in the top navigation.
4. Select your Ideagen application.
5. Go to the General tab.
6. Click Edit (under General Settings).
7. Scroll to the Login section.
8. Click Add URI (under Sign-in redirect URIs)
9. Paste the Redirect URI provided by Ideagen.
10. Click Save. 

1.3. PingOne

To update the Redirect URI:

1. Sign in to your PingOne Admin Console as an Administrator.
2. Navigate to Applications.
3. Select Applications.
4. Browse or search for your Ideagen application.
5. Click the application entry to open the details panel.
6. Go to the Configuration tab.
7. Click Edit (Pencil icon).
8. Locate the Redirect URIs field.
9. Click Add.
10. Pate Redirect URI provided by Ideagen.
11. Click Save. 

Add the URI under the Web platform, not under Single-Page Application (SPA)

Amazon Cognito (which underpins Hub authentication) is a server-side application that uses a secret key when communicating with Entra ID to complete the login process. Entra's Web platform is designed for exactly this - server-side apps that authenticate using a client secret.

The SPA platform is for browser-only applications that have no server-side secret. If the URL is placed under SPA, Entra ID will reject the secret that Cognito sends, and login will fail.

2. Removing existing URLs

After migration, the existing Redirect URIs configured for Ideagen Quality Management in your Microsoft Entra ID app registration are no longer needed by Hub and can be removed.

However, we recommend waiting a few days before removing them, in case you need to roll back to the previous configuration. Once you are confident the migration is stable, the old entries can be safely removed.

3. Troubleshooting issues

3.1. Microsoft Entra

After migrating to Hub, the desktop app no longer passes device information to Microsoft Entra ID during login. This causes Conditional Access policies that require device compliance to block the request. The Web client is unaffected.

This is a known issue and will be fixed in a future release. As a workaround, you can exclude the Ideagen app registration from the blocking Conditional Access policy.

To exclude the app:

1. Sign in to the Microsoft Entra portal as an Administrator.
2. Go to Identity.
3. Select Protection.
4. Select Conditional Access.
5. Select Policies.
6. Open the policy that is blocking the desktop app.
7. Switch to the Exclude tab (under Target resources).
8. Search for and select the Ideagen app registration.
9. Click Save.

Before switching the policy to On, use Report-only mode and check Sign-in Logs to confirm the exclusion works as expected.