Technical Information
      Back to home
      1. Oxford Risk Help Centre
      2. Integrations & Technical Information
      3. Technical Information

      How do I set up single sign-on (SSO)?

      This guide walks system administrators through the process of configuring single sign-on (SSO) for the Oxford Risk platform using SAML2.

      Set up single sign-on

      This guide walks system administrators through the process of configuring single sign-on (SSO) for the Oxford Risk platform. The instructions are written with reference to Microsoft Entra, but any identity provider that supports SAML 2.0 can be used.

      Step 1: Create a new application in Microsoft Entra

      1. Sign in to the identity provider admin panel https://entra.microsoft.com.
      2. Navigate to Enterprise Applications > + New Application.
      3. Select Create your own application.
      4. Enter a name (e.g. Oxford Risk Investor Compass) and choose Integrate any other application you don’t find in the gallery (non-gallery).

      Step 2: Configure Basic SAML Settings

      Because Oxford Risk Investor Compass is not in the gallery, you’ll need to manually configure the SAML settings.

      1. The Identifier (Entity ID) and Reply URL fields will be specified by Oxford Risk in a later step, but you need to enter placeholder values so that the certificates will generate. Enter https://auth.oxfordrisk.io/temp in both fields.
      2. Set the Relay State URL to https://id.oxfordrisk.io/login.
      3. Save the settings and close the modal.

      Step 3: Gather Essential Information

      You’ll need the following details to complete the setup:

      • Download the base64-encoded certificate. You may need to edit this file in a text editor to remove any line breaks.
      • Note the Login URL.
      • Note the Microsoft Entra Identifer URL.
      • Note the Logout URL

      These will be used to configure the Oxford Risk SAML settings.

      Step 4: Configure Oxford Risk SAML settings

      Oxford Risk provides an API endpoint to configure SSO. You can download a Postman collection of the process.

      1. Create an authentication token using your Oxford Risk admin credentials.
      2. Send a POST request to https://auth.oxfordrisk.io/settings/saml2 with the following body:
      {

        "key": "office 365",

        "idp_entity_id": "<Microsoft Entra Identifer URL>",

        "idp_login_url": "<Login URL>",

        "idp_logout_url": "<Logout URL>",

        "idp_x509_cert": "<Signing certificate>",

        "relay_state_url": "https://<your-subdomain>.oxfordrisk.io/login"

      }

      Step 5: Update the SSO App Settings in Entra

      1. Send a GET request to https://auth.oxfordrisk.io/settings/saml2 with no body
      2. Go back to your Entra app’s Basic SAML Configuration.
      3. Find the settings.idp.identifier value in the API response and set this as the Identifer (Entity ID) field.
      4. Paste the settings.idp.reply value into the Reply URL field.
      5. Save your changes.

      Step 6: Assign Users and Groups

      1. In the app’s Users and Groups section, assign the relevant users or groups who should have access to Investor Compass.
      2. Ensure they have appropriate permissions in Oxford Risk.

      Step 7: You're Done!

      Users can now log in via SSO by clicking Sign in with SSO on the Oxford Risk login page.

      When a user logs in for the first time, the Oxford Risk platform will create an adviser account (i.e. a billable seat) for them. If the user needs administrator or assistant permissions (i.e. a non-billable seat), an existing administrator will need to log in and change their permissions.

      Removing a user's permissions from the SSO application will prevent them from being able to access Oxford Risk, but it will not update the users record on the Oxford Risk platform. Administrators must also archive the adviser’s account so they do not continue to be billed.