Configure Single Sign-On (SSO)

Overview

Northstar's preferred SSO connection is via the industry standard OAuth 2.0 and OpenID-Connect protocol (OIDC). This is supported by all established Identity Providers, such as those from Google and Microsoft.

Below are the custom instructions for configuring the connection for Google or Microsoft domains. After configuring Northstar as an allowed application within your Identity Provider, you'll provide us with the newly created Client ID and Client Secret values of the application. We will then complete the configuration within our framework and work with you to test and confirm that the new sign-in behavior meets everyone's expectations.

To enable Northstar SSO for Staff or Student accounts:

• Instructions for Google
• Instructions for Microsoft

Two-Factor Authentication

A second factor of user authentication is expected for all account types. For users that are federated with a college managed account (such as Google or Microsoft), please configure your preferred multi-factor options in your relevant admin portals.

College Accounts

The following users will have their two-factor settings managed by college IT:

• Students (with a Generated Email value on Demographics)
• Staff (with an email/username matching the college domain)

Northstar Accounts

The following users do not belong to a college managed Identity store, and will have their two-factor setting managed by Northstar:

• Students (without a Generated Email value) (must use StudentID to login)
• Staff (with a non-college email/username)
• Sponsors

Instructions for Google

Register a new application

Follow Google's Setting up OAuth 2.0 doc to register a new application. During this process, Google will generate a Client ID and Client Secret for the application; make note of these.

While setting up the app, be sure to use these settings:

• On the consent screen, under Authorized domains, add auth0.com .
• When asked to select an application type, choose Web application and set the following parameters:

Share the application credentials

Send us the Client ID and Client Secret for each application you've created via the secured channel of your choice.

We'll finish the configuration in our auth framework and send you instructions for testing the connection once it's ready.

Instructions for Microsoft

Microsoft Entra App (pre-app creation)

• Go to https://entra.microsoft.com/
• In the App Registrations section, click on the 'New Registration' button
• Make sure that the Supported Account Type is: "Accounts in this organizational directory only (Default Directory only - Single tenant)"
• Make the (Login) Redirect URI be of type: https://northstar-app.us.auth0.com/login/callback with type WEB
  • https://northstar-app.us.auth0.com being the primary domain

Microsoft Entra App (post-app creation)

• Go into the created app's Authentication section. Then in the Implicit grant and hybrid flows section, make sure that the Access Token and ID Token grants are selected
• Go to the Certificates & Secrets section and add generate a new Client Secret
  • Choose a custom Expiry (preferably set expiry > 1 year)
  • Make sure to copy that secret and store somewhere safe (e.g., password manager)
    • This will be shared with Northstar team to configure Auth0 application on their end along with the Client ID (found in the Overview Page called Application (client) ID)
• Go to API Permissions 
  • Add the Directory.Read.All permission
  • Add the Microsoft Graph Delegated Permissions with type "email, openid, profile"
• Go to Owners and add an Admin owner