Microsoft AD SSO

How do I get a single sign-on and how does it work?

If you want to enable SSO contact us by email at

AzureAD based Single sign-on can be easily enabled. If permissions are also determined in connection with single sign-on, it will require a little more planning from the customer. 

What does SSO mean?

SSO (Single Sign-On) means a solution where the user can log in to Spotilla with a Microsoft Azure.

There is a ready-made interface for both browser and mobile applications for Microsoft Azure AD single sign-on.  Spotilla does not support local Microsoft AD servers (local + Azure hybrid solution is supported).

How to log in with SSO?

If single sign-on is enabled, the Spotilla user does not need the Spotilla internal username / password combination at all, but logs in with a Microsoft AD ID (that is, virtually the same ID used for other Office 365 uses, such as Outlook, Teams, etc.).

Single sign-on also allows for a solution where user rights within Spotilla are based on groups defined by Azure AD.

Technical implementation

The technical implementation follows this Microsoft documentation

The technical chain of events (invitation authorization) follows the implementation specified by Microsoft as shown in the image.
microsoft identity platform

Spotilla application calls the following information from Customer's Azure AD upon login:

call permissions

Implementation steps

  • You indicate that you wish to enable Microsoft AD SSO Single Sign-On and send an e-mail to  an address:
  • A short remote meeting will be held to agree on how the customer wants to implement single sign-on.
    • Determine which domain is the AzureAD domain against which the login is made.
    • Find out if a particular Azure AD group needs a user to be able to sign in (otherwise, all domains in that domain will be able to sign in)
    • Find out if you want users to be able to gain access to Spotilla directly based on their Azure AD groups, or whether to use SSO only to sign in

The full benefits of implementing AD SSO are obtained by directly assigning "basic rights" to the user based on AzureAD groups. Deviating rights can still be defined separately within Spotilla.

In practice, certain groups are created for Azure AD for Spotilla and assigned to user roles created in Spotilla. The client process is facilitated when new users who are created for AD and need access to their Spot have direct access when they are added to the desired AzureAD-Spot groups.

  • Spotilla helpdesk turns on the AD SSO with the agreed configuration
  • Your AzureAD admin user agrees to use single sign-on on behalf of your users (learn more). At the same time, the operation of the SSO is ensured

The client Azure AD Admin user does not need to perform any manual configuration for Azure AD. When a person with an Admin ID logs in to Spot for the first time, Spotilla will ask the Azure AD Admin user (a pop-up window asking for permission) if this will allow users to use the Spotilla SSO application on behalf of the organization.

  • Once tested, the Spotilla Helpdesk will delete all user accounts from Spotilla
    • The next time a user logs in with a mobile app or browser, this one will use SSO login. In this context, the user's account and its rights will be established in accordance with the Azure AD specifications
    • Only the Spotilla administrator ID is used to log in to Spotilla with a password / ID - other users log in with SSO.