My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Administration & Configuration

How to Set Up BoldDesk with Azure AD Single Sign-On (SSO)

Updated:

In BoldDesk, you can configure Single Sign-On (SSO) using OAuth 2.0, OpenID Connect, and JWT. This guide walks you through the steps to integrate BoldDesk with Azure Active Directory (Azure AD) for Single Sign-On (SSO), enabling secure and seamless access for users using their organizational credentials.



Check out this video tutorial.

Configure Azure AD for OpenID Connect

Follow the given steps to configure the Azure AD SSO login in BoldDesk:

  1. Go to Admin > Customer Portal > Login

  2. Select OpenID Connect.

    Open ID Connect.png

  3. Go to your Azure AD portal and navigate to Azure Active AD > App registrations > New registration.

    Azure AD.png

  4. You can either use your existing application or create a new one.

    Existing Azure AD.png

  5. After creating the application, you can view it on the overview page as shown:

    Creating Application.png

  6. To generate the client credentials, click on the Add a certificate or secret option and generate the secret keys.

    Add Certificate.png

  7. Copy the ‘Value’ and use it instead of the ‘Secret ID’. Refer to the below screenshot.

    Secret_Value.png

  8. Go to overview and click the Add redirect URL.

  9. Then select the Add a Platform option and choose “Web”, copy the callback URL from the BoldDesk SSO configuration page and paste it there.

  10. Enable the ID Tokens checkbox and configure.

    ID Tokens.png

  11. Now go to your BoldDesk Portal

  • Client ID: This will be available on the Azure AD App’s overview page.
  • Client Secret: Paste the secret you created in the Azure AD Application.
  • Authority: To configure the authority URL, use the following format:

    • https://login.microsoftonline.com/<Directory (tenant) ID>/

    • For example, if the Directory (tenant) ID in the Azure portal is 7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb, the authority URL is https://login.microsoftonline.com/7e6ea6c7-a751-4b0d-bbb0-8cf17fe85dbb/.

    • Tenant ID: Copy the Directory (tenant) ID from the Azure portal.

      Tenant ID.png


      Token ID.png

Configure OAuth 2.0 in Azure AD

To use OAuth 2.0, all the above steps are the same except for the endpoints. To get the endpoints, please follow the steps below:

  1. Go to the Overview section in the Azure AD portal.

    OAuth 2.png

  • Token endpoint: Get the first token endpoint. Use the version 2 endpoints.

  • Authority: Get the Authority endpoint from the list. Use the version 2 endpoints.

  • For user info endpoint use this https://graph.microsoft.com/oidc/userinfo.

    Endpoint.png

  1. After updating, go to your login page; you can see the login option enabled.

    Login Enabled.png

Identity Provider Compatibility

BoldDesk supports integration with any Identity Provider (IdP) using OpenID Connect, OAuth 2.0, or JWT. The same configuration steps apply to both Customer Portal and Agent Portal.

Troubleshooting Common Issues

The common issues are listed below;

1. Unable to Retrieve Email Address

If you experience an issue such as “Unable to get the email address from the selected identity provider” after configuring the SSO login (this issue is that BoldDesk is unable to retrieve the email address information from the Identity Provider), please follow the procedures to resolve it.

Retrieve Email Error.png

On the application Overview page, find the Token configuration as shown in the screenshot below.

  1. Click the Add optional claim option.

  2. If you used OpenID Connect, select the ID as the token type on the Add optional claim screen.

    • Select the email and preferred username under Claim.

  3. If you used OAuth, select Access as the token type. Both OpenID and OAuth use the same claim selections.

    Optional Claim.png

  4. Ensure that the registered users in Azure Active Directory have proper email details in all the necessary columns as shown in the screenshot.

    Azure DIrectory.png

2. Unable to Receive Access Token

You may face an error message stating that the identity provider cannot receive the access token. So, you should enable both the access token and the ID token for the app. Normally, OAuth 2.0 will use the access token, and OpenID will use the ID token.

Access Token.png

  • BoldDesk doesn’t support claim mapping for OpenID Connect and uses the User Principal Name (UPN) as the primary login identifier. To address the Azure AD configuration that requires email addresses as login tokens, you can either modify the UPN in Azure AD to align with the preferred email format or assign it a non-email value. This will prompt the system to use the email claim for login verification.
  • UPN (User Principal Name) is the default and most reliable login attribute in Azure AD, uniquely identifying users for secure authentication and token issuance. Using email instead can lead to ambiguity, spoofing risks, and inconsistencies—especially in hybrid environments. If a claims mapping policy excludes UPN and includes only email, validation may still succeed, but it introduces potential reliability and security concerns.

3. Login Page Looping Issue

If your screen keeps looping on the login page, create a new client secret, copy the value, and use it for configuration.

Secret_Value.png

Frequently Asked Questions (FAQ)

Q1: Can I use email instead of UPN for login?
Yes, by setting UPN to a non-email format, BoldDesk will fall back to using the email claim.

Q2: Does this setup work for both customer and agent portals?
Yes, the same configuration applies to both portals.

Q3: What if I use a different Identity Provider?
BoldDesk supports any IdP that uses OpenID Connect, OAuth 2.0, or JWT.

Q4: Can I test the SSO setup before enabling it for all users?
Yes, configure it and test with a limited user group before full rollout.

Related Articles
Attachments
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Comments (0)
Access denied
Access denied