Single Sign-On — Azure AD & Google

Single Sign-On (SSO) allows employees to log in to Udyamo HRMS using their existing organizational credentials — either a Google Workspace account or a Microsoft Azure Active Directory (Azure AD) account. SSO simplifies the login experience, improves security through centralized authentication, and reduces password fatigue for employees.

This chapter covers how SSO works in Udyamo HRMS, how to configure Google OAuth2 and Azure AD SSO, and how employees use SSO to log in.

What You Will Learn

  • What Single Sign-On is and its benefits
  • How Google OAuth2 SSO works in Udyamo HRMS
  • How Azure AD SSO works for Microsoft 365 organizations
  • How to configure each SSO provider (admin setup)
  • The employee login flow for each SSO method
  • How SSO interacts with existing password-based accounts
  • Troubleshooting common SSO issues

Prerequisites

Required: You must have an Administrator role to configure SSO providers.

Required: For Google OAuth2: A Google Workspace organization with admin access to the Google Cloud Console.

Required: For Azure AD: A Microsoft 365 / Azure AD tenant with admin access to the Azure Portal.

What Is Single Sign-On?

Single Sign-On is an authentication mechanism that allows users to log in to multiple applications using a single set of credentials managed by an identity provider (IdP). Instead of maintaining a separate username and password for Udyamo HRMS, employees use their Google or Microsoft account.

Benefits of SSO

BenefitDescription
Simplified loginEmployees use one set of credentials for multiple applications
Reduced password fatigueFewer passwords to remember means fewer weak or reused passwords
Centralized access controlIT admins manage access from one identity provider (Google Admin, Azure AD)
Automatic deprovisioningWhen an employee is removed from Google Workspace or Azure AD, they lose access to Udyamo HRMS
Stronger securityLeverages the IdP's security features — MFA, conditional access, session management
ComplianceAudit trails from the IdP complement Udyamo HRMS's own logging

SSO Architecture Overview

Udyamo HRMS implements SSO through the OmniauthCallbacksController, which handles the OAuth2/OpenID Connect flow for both Google and Azure AD.

Authentication Flow

  1. Employee clicks Sign in with Google or Sign in with Microsoft on the login page.
  2. Udyamo HRMS redirects the employee to the identity provider's login page.
  3. The employee enters their Google or Microsoft credentials (and completes MFA if required by their organization).
  4. The identity provider authenticates the user and redirects back to Udyamo HRMS with an authorization token.
  5. Udyamo HRMS verifies the token and matches the user's email address to an existing employee record.
  6. If a match is found, the employee is logged in. If no match is found, the login is rejected.

SSO authentication flow diagram

Warning: SSO login requires that the email address in the identity provider matches the email registered in Udyamo HRMS. If an employee's Google or Microsoft email differs from their Udyamo HRMS email, SSO login will fail.

Google OAuth2 SSO

Google OAuth2 SSO is ideal for organizations that use Google Workspace (formerly G Suite) for email and productivity tools.

Admin Setup: Configuring Google OAuth2

To configure Google OAuth2, you need to create an OAuth2 client in the Google Cloud Console and then enter the credentials in Udyamo HRMS.

Step 1: Create a Google Cloud OAuth2 Client

  1. Log in to the Google Cloud Console.
  2. Select your project (or create a new one).
  3. Navigate to APIs & Services > Credentials.
  4. Click Create Credentials > OAuth client ID.
  5. Select Web application as the application type.
  6. Configure the following:
FieldValue
NameUdyamo HRMS SSO
Authorized redirect URIshttps://your-domain.udyamo.com/users/auth/google_oauth2/callback
  1. Click Create.
  2. Note the Client ID and Client Secret — you will need these in the next step.

Warning: Keep the Client Secret confidential. Do not share it in emails, chat messages, or public repositories.

Step 2: Configure Google OAuth2 in Udyamo HRMS

  1. Log in to Udyamo HRMS as an administrator.
  2. Navigate to Settings > Security > Single Sign-On.
  3. In the Google OAuth2 section, click Configure.
  4. Enter the following:
FieldDescriptionRequired
Client IDThe OAuth2 Client ID from Google Cloud ConsoleYes
Client SecretThe OAuth2 Client Secret from Google Cloud ConsoleYes
Allowed Domain(s)Restrict SSO to specific email domains (e.g., yourcompany.com). Leave blank to allow any Google account.Recommended
  1. Click Save.
  2. Toggle Enable Google SSO to on.

Google OAuth2 configuration in Udyamo HRMS

Tip: Restricting to your company's email domain prevents external Google accounts from attempting to log in. This is strongly recommended for security.

Step 3: Test Google SSO

  1. Open an incognito/private browser window.
  2. Navigate to the Udyamo HRMS login page.
  3. Click Sign in with Google.
  4. Select a Google Workspace account that matches an employee email in Udyamo HRMS.
  5. Verify that you are successfully logged in.

Employee Login Flow: Google

  1. Navigate to the Udyamo HRMS login page.
  2. Click Sign in with Google.
  3. If not already signed in to Google, enter Google credentials.
  4. If the Google organization enforces MFA, complete the verification step.
  5. Upon successful authentication, Google redirects to Udyamo HRMS.
  6. Udyamo HRMS matches the Google email to an employee record and logs the user in.

Google SSO login button

Azure AD SSO

Azure AD SSO is designed for organizations that use Microsoft 365 (Office 365) and Azure Active Directory for identity management.

Admin Setup: Configuring Azure AD SSO

Configuring Azure AD SSO requires steps in both the Azure Portal and Udyamo HRMS.

Step 1: Register an Application in Azure AD

  1. Log in to the Azure Portal.
  2. Navigate to Azure Active Directory > App registrations.
  3. Click New registration.
  4. Fill in the registration form:
FieldValue
NameUdyamo HRMS
Supported account typesAccounts in this organizational directory only (Single tenant)
Redirect URIWeb — https://your-domain.udyamo.com/users/auth/azure_oauth2/callback
  1. Click Register.
  2. On the application overview page, note the Application (client) ID and Directory (tenant) ID.

Step 2: Create a Client Secret

  1. In the registered application, navigate to Certificates & secrets.
  2. Click New client secret.
  3. Enter a description (e.g., "Udyamo HRMS SSO") and select an expiry period.
  4. Click Add.
  5. Copy the Secret Value immediately — it is shown only once.

Warning: The client secret is displayed only at the time of creation. If you lose it, you must create a new one.

Step 3: Configure API Permissions

  1. In the registered application, navigate to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph.
  4. Choose Delegated permissions.
  5. Add the following permissions:
PermissionPurpose
openidRequired for OpenID Connect authentication
emailAccess the user's email address
profileAccess the user's basic profile (name)
  1. Click Add permissions.
  2. Click Grant admin consent for [Your Organization] to approve the permissions for all users.

Step 4: Configure Azure AD in Udyamo HRMS

  1. Log in to Udyamo HRMS as an administrator.
  2. Navigate to Settings > Security > Single Sign-On.
  3. In the Azure AD section, click Configure.
  4. Enter the following:
FieldDescriptionRequired
Tenant IDThe Directory (tenant) ID from Azure ADYes
Client IDThe Application (client) ID from Azure ADYes
Client SecretThe client secret value you createdYes
Allowed Domain(s)Restrict SSO to specific email domainsRecommended
  1. Click Save.
  2. Toggle Enable Azure AD SSO to on.

Azure AD configuration in Udyamo HRMS

Step 5: Test Azure AD SSO

  1. Open an incognito/private browser window.
  2. Navigate to the Udyamo HRMS login page.
  3. Click Sign in with Microsoft.
  4. Enter Microsoft 365 credentials for a user whose email matches an Udyamo HRMS employee record.
  5. Complete any MFA prompts from Azure AD.
  6. Verify that you are successfully logged in.

Employee Login Flow: Azure AD

  1. Navigate to the Udyamo HRMS login page.
  2. Click Sign in with Microsoft.
  3. If not already signed in to Microsoft 365, enter Microsoft credentials.
  4. Complete MFA if required by the Azure AD conditional access policy.
  5. Upon successful authentication, Azure AD redirects to Udyamo HRMS.
  6. Udyamo HRMS matches the Microsoft email to an employee record and logs the user in.

How SSO Works with Existing Accounts

When an employee first uses SSO to log in, Udyamo HRMS links their SSO identity to their existing account based on the email address match.

Account Linking

ScenarioResult
Employee has a password-based account and the SSO email matchesSSO login succeeds. The account is linked to the SSO provider. The employee can still use password login.
Employee does not have an Udyamo HRMS accountSSO login is rejected. An admin must first create the employee record with the matching email.
Email in SSO provider does not match any Udyamo HRMS emailSSO login is rejected with an error message.
Employee uses both Google and Azure ADBoth can be linked to the same account if both emails match.

Tip: When onboarding new employees, ensure their Udyamo HRMS email matches their Google Workspace or Azure AD email to enable SSO from day one.

SSO vs. Password Login

SSO does not disable password-based login unless the administrator explicitly configures it.

Login MethodAvailabilityNotes
Email + PasswordAlways available (unless disabled)Default method for all users
Google SSOAvailable when configured and enabledRequires Google Workspace account
Azure AD SSOAvailable when configured and enabledRequires Microsoft 365 account
OTP LoginAvailable when configured and enabledPasswordless alternative

Disabling Password Login

If your organization wants to enforce SSO-only login:

  1. Navigate to Settings > Security > Login Methods.
  2. Disable Email + Password Login.
  3. Ensure at least one SSO provider is configured and enabled.

Warning: Before disabling password login, verify that all employees can successfully log in via SSO. Keep at least one administrator account with password access as a fallback in case of SSO provider outages.

Managing SSO Providers

Viewing SSO Configuration

  1. Navigate to Settings > Security > Single Sign-On.
  2. The page shows the status of each SSO provider:
ProviderStatusDetails
Google OAuth2Enabled / DisabledClient ID (masked), allowed domains
Azure ADEnabled / DisabledTenant ID (masked), allowed domains

Updating SSO Configuration

  1. Click Edit next to the provider you want to update.
  2. Modify the Client ID, Client Secret, Tenant ID, or allowed domains.
  3. Click Save.
  4. Test the updated configuration.

Disabling SSO

  1. Navigate to Settings > Security > Single Sign-On.
  2. Toggle the provider off.
  3. Employees will no longer see the SSO login button for that provider.

Warning: Disabling SSO does not delete the configuration — it only hides the login option. You can re-enable it at any time.

Troubleshooting SSO Issues

Common Problems and Solutions

ProblemPossible CauseSolution
"Account not found" after SSO loginEmail in SSO provider does not match any Udyamo HRMS emailVerify the employee's email in both systems matches exactly
"Invalid redirect URI" errorThe redirect URI in the SSO provider does not match the Udyamo HRMS callback URLCorrect the redirect URI in Google Cloud Console or Azure Portal
"Admin consent required" (Azure AD)The Azure AD admin has not granted consent for the app permissionsGrant admin consent in Azure Portal > App Registrations > API Permissions
SSO button not visible on login pageSSO provider is not enabled in Udyamo HRMS settingsEnable the provider in Settings > Security > Single Sign-On
Login loops or redirects repeatedlyCookie or session issueClear browser cookies, try incognito mode, or check third-party cookie settings
"Access denied" from GoogleUser's Google account is not in the allowed domainAdd the user's domain to the allowed domains list or check domain restrictions
Azure AD conditional access blocks loginAzure AD policy blocks the applicationReview Azure AD conditional access policies to allow the Udyamo HRMS app

Diagnostic Checklist

When troubleshooting SSO, verify the following:

  1. The SSO provider is enabled in Udyamo HRMS settings.
  2. The Client ID and Client Secret are correct and not expired.
  3. The redirect URI in the identity provider matches the Udyamo HRMS callback URL exactly (including https:// and the path).
  4. The employee's email address in the identity provider matches their Udyamo HRMS email.
  5. The identity provider has granted the required permissions (API permissions for Azure AD, OAuth scopes for Google).
  6. The browser allows third-party cookies or the SSO domain is whitelisted.

SSO troubleshooting checklist

Security Considerations

ConsiderationRecommendation
Client secret rotationRotate Azure AD client secrets before expiry. Google OAuth2 secrets do not expire by default but should be rotated periodically.
Domain restrictionAlways configure allowed domains to prevent unauthorized accounts from attempting SSO.
MFA at the IdPEnable multi-factor authentication in Google Workspace or Azure AD for an additional security layer.
Conditional access (Azure AD)Use Azure AD conditional access policies to restrict login by device, location, or risk level.
Account deprovisioningWhen an employee leaves, removing them from the identity provider automatically prevents SSO access to Udyamo HRMS.
SSO + 2FASSO and TOTP 2FA can coexist. If an organization uses SSO with IdP-level MFA, additional 2FA in Udyamo HRMS may be redundant but can be enabled for extra security.

Quick Reference

ActionNavigationNotes
Configure Google SSOSettings > Security > SSO > Google OAuth2Requires Google Cloud Console setup
Configure Azure AD SSOSettings > Security > SSO > Azure ADRequires Azure Portal setup
Enable/disable SSOSettings > Security > SSO > ToggleImmediate effect on login page
Test SSOOpen incognito window > Login page > SSO buttonUse a matching employee email
Disable password loginSettings > Security > Login MethodsEnsure SSO works for all users first

What Comes Next

With SSO configured, the next chapter covers integrating Udyamo HRMS with Microsoft Teams for in-chat HR actions. Proceed to Chapter 46: MS Teams Integration.