Skip to main content

SSO Setup Guide

Setup Single Sign-On (SSO) with Feedier in just a few clicks. Make it easy for your users to access Feedier.

Written by Julien Chil Hagopian

Settings Menu → Advanced settings

Why set up SSO?

Single Sign-On (SSO) gives your team:

  1. Centralized identity management (password policies, MFA, device trust)

  2. Reduced risk of weak or reused passwords

  3. Immediate access revocation when an employee leaves

⭐️ Feedier supports standard OIDC, compatible with all modern IAM providers: learn more about OIDC.

Who can access this setting?

Role

Access

👑 Admins

Full access

🛠️ Editors

No access

👀 Viewers

No access

🔒 Restricted Viewers

No access

Overview

Setting up SSO takes two required steps, plus optional advanced configuration:

  1. Create an OIDC application in your IAM provider (Microsoft Entra used as example).

  2. Configure the SSO application in Feedier (admin access required).

  3. Advanced setup (optional): role and team auto-provisioning, frontend-only SSO.

If you already have your Base URL, Client ID, and Client Secret from your IAM provider, you can skip directly to Step 2.

Step 1: Create the OIDC application in your IAM provider

The example below uses Microsoft Entra. Steps are similar with other providers.

1.1 Register a new application

  1. Navigate to Applications → App registrations → New registration.

  2. Fill in the registration form:

    • Name: a descriptive name (e.g., "Feedier SSO").

    • Supported account types: choose based on your needs (e.g., single tenant).

    • Redirect URI: select Web and paste the redirect URL provided by Feedier (see callout below).

    Click Register.

Where do I find the redirect URL in Feedier?

In Feedier, go to Advanced Settings → Authentication and click Enable OIDC authentication.

1.2 Configure authentication

  1. Open the Authentication tab of the registered app.

  2. Leave the Front-channel logout URL blank (not needed)

  3. Enable the appropriate Implicit Grant and Hybrid Flows (typically ID tokens for SSO).

1.3 Configure API permissions

  1. Open API permissions → Add a permission.

  2. Select Microsoft Graph.

  3. Choose Delegated permissions.

  4. Add at least openid and email.

⚠️ Critical — Grant admin consent for your organization

After adding the permissions, you must click the "Grant admin consent for [your organization]" button above the permissions list, then click Yes to confirm.

Without this step, every user will be blocked with an "Approval required" screen at login — even if the OIDC configuration in Feedier is perfectly correct. The 3 permissions (email, openid, User.Read) must each show Granted status.

This consent is granted once for the entire organization — no action needed per user.

1.4 Collect endpoints and client secret

  1. From the Overview page, note the endpoints — you'll need them in Step 2.

  2. Go to Certificates & secrets and generate a Client Secret. Copy it now; you won't be able to see it again.

Step 2: Configure SSO in Feedier

  1. In Feedier, go to Advanced Settings → Authentication.

  2. Enable OIDC Authentication and set the workflow type to Server.

  3. Fill in the values from Step 1:

  4. Save.

  5. Choose which user has aibility to connect via SSO in Feedier

What happens when you activate SSO?

Activating SSO is silent on the user side — there's no automatic email or notification.

  • Active sessions: users already logged in to Feedier stay logged in. Their session remains valid until it expires naturally or they log out manually.

  • Next login: the next time a user lands on the login screen, Feedier detects that the organization is on SSO and automatically redirects them to your IAM provider (e.g., Azure Entra). SSO takes effect at that point.

  • No automatic notification: Feedier doesn't notify users at activation. If you want them to switch over immediately (for example, to validate the setup), inform them beforehand and ask them to log out and log back in.

In short: activation is silent. The switchover happens naturally at each user's next login.

🔒 New users without a Feedier account

If a user authenticates via SSO but does not have an existing Feedier account, they will automatically be granted the Restricted Viewer role. This is the default behavior — no manual action is required. Their access can be upgraded afterwards by an Admin in Feedier user settings.

The SSO match is done on email address: the address in your IAM (Entra/Azure) must match the one registered in Feedier for each user.

Test the connection

Click the Login URL shown in Advanced Settings. You should be redirected to your OIDC authentication page.

⚠️ Once SSO is enabled, username/password login is no longer allowed. Run tests in a private window and keep an active session in your main window to avoid getting locked out.

How do users log in? Share the Login URL from Advanced Settings — ideally via your intranet for easy access.

Why is bx.feedier.com not redirecting immediately after SSO setup?

After activating SSO, some users who navigate directly to https://bx.feedier.com and enter their professional email may not be redirected to the SSO login page right away. This is expected — here are the reasons:

  • Browser or session cache: if a tab with bx.feedier.com was already open before SSO was enabled, the browser may serve the old login page from cache. Solution: close and reopen the tab, or use a private/incognito window.

  • CDN / server-side cache: Feedier's domain detection (matching a user's email domain to an SSO-enabled workspace) is cached server-side. This cache typically refreshes within a few minutes to a few hours after enabling SSO.

Recommended approach during rollout: share the direct Login URL (shown in Feedier Advanced Settings → Authentication) with your users — this bypasses the domain detection entirely and works immediately after SSO activation.

Advanced setup

MFA and password behavior

  • When SSO is enabled, password login is disabled. The only way in is the SSO login URL.

  • Feedier enforces MFA by default. If your IAM provider already handles MFA, you can disable Feedier's MFA in Advanced Settings.

Client mode (frontend-only SSO)

In Client mode, the Feedier server never talks to your IAM provider — the entire OIDC exchange happens in the user's browser.

Recommended if your IAM provider is behind an internal firewall or VPN.

Best practice: manage access with an Entra group

By default, any user in your Azure tenant can authenticate via the Feedier SSO app. To restrict access and maintain a clean, auditable list of Feedier users, we recommend creating a dedicated Entra group and assigning it to the Feedier SSO enterprise application.

  1. In Microsoft Entra, go to Groups → New group and create a security group (e.g., Feedier Users). Add all employees who should have access to Feedier.

  2. Go to Enterprise Applications → Feedier SSO → Users and groups. Click Add user/group and assign the group you just created.

  3. In the Feedier SSO app registration, go to Properties and set Assignment required to Yes. This ensures only members of the assigned group can authenticate — any other user will be blocked by Entra before even reaching Feedier.

Benefits of this approach:

  • Single place to manage who can access Feedier (add/remove from the group).

  • Access is revoked automatically when a user is removed from the group or the company.

  • No need to manage users one by one in the Entra application.

  • Works well with existing HR groups or department groups already in Entra.

⚠️ If you enable Assignment required after some users have already logged in via SSO, only group members will be able to re-authenticate. Non-members will be blocked at the Entra level. Make sure all current Feedier users are added to the group first.

Auto-provision user roles from your IAM

Instead of manually assigning Feedier roles, you can provision them from your IAM. The example below uses Azure AD; the same pattern applies to other providers.

  1. Create four application roles in your Entra ID enterprise application: Admin, Editor, Viewer, Restricted Viewer.

  2. Email your Workspace ID to [email protected] so our team can complete the backend setup.

  3. Send a test link to a user to confirm.

⚠️ Once enabled, only users with a provisioned role can access Feedier.

Auto-provision user teams from your IAM

You can also map IAM groups to Feedier teams (marketing, subsidiary, etc.) so users land in the right team automatically.

  1. Create groups in Azure — one per Feedier team.

  2. In App Registrations → Token Configuration, add a group claim so group_id is included in the ID token.

  3. Email the mapping table (group_id → Feedier team) to [email protected]. The mapping is activated within 24h.

Example mapping:

group_id

Feedier team

fd7f72c6-cd68-4bad-b170-9aa2c1957128

Team A

9a48e151-e107-4555-a381-498174b947b9

Team B

⚠️ This example uses Azure. With another IAM provider (e.g., Okta), perform the equivalent steps: create groups, configure claims, and include group_id in the ID token.

For any issue, contact [email protected].

Did this answer your question?