Skip to content
English
  • There are no suggestions because the search field is empty.

Single Sign-On (SSO)

Secure, passwordless login to the moinAI Hub using a single central identity

Single Sign-On (SSO) allows users to log in to the moinAI Hub securely and without a password via a central identity provider. As an authentication method, SSO enables access to multiple applications with a single user ID. This simplifies the login process for your team and improves security, as no additional passwords need to be managed.

Depending on the moinAI licence, Google ID and Microsoft Entra ID (formerly Azure AD) are supported via OpenID Connect (OIDC) authentication (OAuth 2.0 protocol). For questions about feature availability, contact the Customer Success Team at customersuccess@moin.ai.

  1. Activation
  2. Best Practices
  3. Deactivation
  4. Use Cases


1. Activation

To set up Google Single Sign-On or Microsoft Single Sign-On, navigate in the moinAI Hub to: Bot Settings > Users & permissions > gear icon in the Single Sign-On section. Click Edit to open the Single Sign-On enforcement window. Select your provider from the dropdown, then click Deploy to apply the change immediately. Optionally, enable two-factor authentication (2FA) using the toggle.

The email address of the Hub account must match the email address used for Microsoft Entra ID or Google ID to enable Single Sign-On.

If the Single Sign-On section is not visible, the SSO option has not yet been activated for your account. Contact the Customer Success Team at customersuccess@moin.ai to request activation.

Figure: SSO activation settings in the Users & permissions area

 

Activation takes effect immediately. If required, a one-time two-factor authentication can be enabled via the toggle in the configuration window. This 2FA sends a code to the user's email address and applies only on the first login with the SSO address. Subsequent logins do not require 2FA.

No additional configuration in Microsoft Azure or Entra ID is required after completing the setup in the moinAI Hub. Depending on your organisation's individual security settings, approval from an administrator may be required.

Invitations for additional Hub accounts include the necessary Single Sign-On information, provided the option is active.

Users log in to the moinAI Hub passwordlessly via the login button of the selected SSO provider.

Figure: Login buttons displayed for the activated SSO providers

 

Important notes on activation:

  • Invitation expiry: All unused invitations sent before SSO was activated become invalid. The same applies to unused invitations sent before SSO is deactivated.
  • Passwordless accounts: Users who receive an SSO invitation have an account without a password. Logging in with an email address and password is not possible, nor is resetting the password after SSO is deactivated.
  • Mandatory Microsoft/Google login: When Single Sign-On is active, users must log in via the Login with Microsoft/Google button. Users must belong to the relevant organisation and use a compatible email address.
  • Applies to all chatbots: If access to multiple AI Chatbots exists and at least one uses Single Sign-On, SSO applies to all AI Chatbots in the moinAI Hub.

2. Best Practices

To ensure smooth usage of Single Sign-On, consider the following recommendations:

  • Consistent email addresses: Ensure that email addresses in the Hub match exactly the email addresses registered in the identity provider (e.g. Microsoft Entra ID).
  • Communicate before switching: As existing invitations become invalid upon activation, align with your team before enabling Single Sign-On.

3. Deactivation

Deactivation follows the same steps as activation. Instead of selecting an SSO provider, deselect the current provider in the Single Sign-On section.

Deactivation means that Single Sign-On is no longer enforced. However, it remains available as an option for users.

4. Use Cases

The following scenarios illustrate how Single Sign-On is used in practice:

  • Centralised user management: An organisation wants to centrally manage Hub access for all staff via Microsoft Entra ID. Once activated, all team members log in passwordlessly using their corporate credentials.

  • Security-compliant authentication: By linking the login to the organisation's existing multi-factor authentication (MFA), access to the AI Chatbots is further secured.