SSO Integration Guide for GCC High / Government Clients

This guide explains how to configure your Azure App Registration for Single Sign-On (SSO) integration with Siter.

Prerequisites

• Azure AD Administrator access in your GCC High or DoD tenant
• Siter environment URLs for redirect URIs (provided by Siter team)

Step 1: Access Azure Portal

Navigate to the appropriate Azure portal for your cloud environment:

Cloud Type	Portal URL
GCC High	https://portal.azure.us
DoD	https://portal.azure.us
Commercial	https://portal.azure.com

Step 2: Create App Registration

1. In the Azure Portal, go to Microsoft Entra ID (or search for "Entra" in the top search bar)
2. In the left sidebar, click App registrations
3. Click + New registration
4. Fill in the registration form:

Field	Value
Name	Siter SSO Integration (or your preference)
Supported account types	Select "Accounts in this organizational directory only"
Redirect URI	Leave blank for now (we'll add it in the next step)

5. Click Register

Step 3: Configure Authentication

1. In your new App Registration, click Authentication in the left sidebar

2. Click + Add a platform

3. Select Single-page application

4. Add the redirect URIs provided by Siter. Typical values:

   https://siter.app

   Note: Add all environment URLs provided by the Siter team. The URI must match exactly (including https://, no trailing slash).

5. Scroll down to Implicit grant and hybrid flows

6. Check the box for ID tokens (used for implicit and hybrid flows)

7. Click Save

Step 4: Configure API Permissions

1. Click API permissions in the left sidebar
2. Click + Add a permission
3. Select Microsoft Graph
4. Select Delegated permissions
5. Search for User.Read and check the box
6. Click Add permissions

Grant Admin Consent (Recommended for Government Tenants)

7. Click Grant admin consent for [Your Organization Name]
8. Click Yes to confirm

Why grant admin consent? Government tenants typically disable user self-consent. Without admin consent, users will see an error when trying to sign in:

"AADSTS65001: The user or administrator has not consented to use the application."

Granting admin consent pre-approves the permission for all users in your organization.

Note: User.Read is the only permission required. Siter extracts user information from standard token claims.

Step 5: Collect Information for Siter

Go to Overview in the left sidebar and copy these values:

Field	Where to Find It
Application (client) ID	Displayed on the Overview page
Directory (tenant) ID	Displayed on the Overview page

Also note your organization's email domains (e.g., @agency.gov, @agency.mil).

Step 6: Provide Information to Siter

Send the following to your Siter administrator:

Organization Name: [Your organization's name]
Cloud Type: [GCC High / DoD]
Tenant ID: [Directory (tenant) ID from Step 5]
Client ID: [Application (client) ID from Step 5]
Email Domains: [Comma-separated list, e.g., agency.gov, agency.mil]

The Siter team will configure the SSO integration and notify you when it's ready for testing.

Step 7: Test the Integration

Once Siter confirms the configuration is complete:

1. Open Siter in your browser
2. Click Sign in with Microsoft
3. Enter your organization email address (e.g., user@agency.gov)
4. You should be redirected to your organization's Azure AD login page
5. Sign in with your credentials
6. You should be returned to Siter, now logged in

Troubleshooting

"The redirect URI is not valid" or "AADSTS50011: The reply URL does not match"

Cause: The redirect URI in your App Registration doesn't match Siter's URL.

Solution:

• Go to Authentication in your App Registration
• Verify the redirect URI matches exactly what Siter provided
• Check for typos, missing https://, or trailing slashes
• Click Save after making changes

"AADSTS65001: The user or administrator has not consented"

Cause: Admin consent has not been granted for the application.

Solution:

• Go to API permissions in your App Registration
• Click Grant admin consent for [Your Organization]
• Wait a few minutes for the change to propagate

"Unable to find tenant" or "AADSTS90002: Tenant not found"

Cause: Wrong Azure portal or incorrect tenant ID.

Solution:

• Ensure you're using the correct portal:
  • GCC High / DoD: https://portal.azure.us
  • Commercial: https://portal.azure.com
• Verify the Tenant ID was copied correctly

"ID tokens not enabled" or token errors

Cause: ID tokens are not enabled in the App Registration.

Solution:

• Go to Authentication in your App Registration
• Under Implicit grant and hybrid flows, check ID tokens
• Click Save

User email not found after sign-in

Cause: The token doesn't contain the user's email address.

Solution:

• Ensure User.Read permission is granted
• Grant admin consent if not already done
• The system will fall back to preferred_username claim if email is not present

Security Notes

• Client ID and Tenant ID are not secrets - They are public identifiers and safe to share
• No client secret is required - Siter uses the authorization code flow with PKCE, which doesn't require a client secret for single-page applications
• Minimal permissions - Siter only requests User.Read to access basic profile information

Support

If you encounter issues not covered in this guide, contact your Siter administrator with:

1. The exact error message you're seeing
2. Screenshots if available
3. The email domain you're trying to sign in with