Authentication & SSO
SSO Integration
Single Sign-On via OpenID Connect or SAML 2.0 — configuration for Microsoft Entra ID and OneLogin with production and UAT URLs.
Updated May 4, 2026
Integrations · Authentication · 1.4
Gfacility supports OpenID Connect and SAML 2.0 as authentication protocols, with identity providers such as Microsoft Entra ID (formerly Azure AD) and OneLogin. SSO is more secure and frictionless for end users — sign in once to your work environment and you are also signed in to Gfacility.
Two protocols
OpenID Connect
A modern authentication protocol based on OAuth 2.0. Quick to set up with an app registration in Entra ID.
SAML 2.0
An XML-based protocol with enterprise-grade traceability. Often required by corporate IT policies.
In this guide you will find the URLs for both Production (app.gfacility.com) and UAT/Test (uat.gfacility.com).
1. Configuration via OpenID Connect
OpenID Connect connects Gfacility to an external identity provider through standard APIs. From your application registration you need:
| Item | What it is |
|---|---|
| Application (Client) ID | Unique identifier — found in the Microsoft Entra admin center. |
| OAuth 2.0 authorization endpoint | The URL the user is redirected to for authentication. |
| Directory (Tenant) ID | ID of the Entra ID tenant where the application is registered. |
| Client credentials | Client ID and client secret to authenticate the application. |
| Redirect URI | PROD: https://app.gfacility.com/login/ssoUAT: https://uat.gfacility.com/login/sso |
2. Configuration via SAML 2.0
Step by step in Microsoft Entra ID:
| Step | What to do |
|---|---|
| 1 | Go to Applications → Enterprise applications → Overview. |
| 2 | Open the Azure AD SAML Toolkit. Not present? Click + New application. |
| 3 | In the left menu: Single sign-on. |
| 4 | Click Edit next to the default SAML configuration and fill in the URLs (see below). |
| 5 | Send us the details from step 3 (SAML certificates) and step 4 (Toolkit). |
URLs for step 4
Replace {companyname} with the name of your organisation.
Production
- Identifier (Entity ID):
https://app.gfacility.com/api/sso/{companyname}/metadata - Reply URL (ACS):
https://app.gfacility.com/api/sso/{companyname}/acs - Sign-on URL:
https://app.gfacility.com/login/sso
UAT / Test
- Identifier (Entity ID):
https://uat.gfacility.com/api/sso/{companyname}/metadata - Reply URL (ACS):
https://uat.gfacility.com/api/sso/{companyname}/acs - Sign-on URL:
https://uat.gfacility.com/login/sso
What do you send to Gfacility?
- Step 3 (SAML certificates): App Federation Metadata URL.
- Step 4 (SAML Toolkit): Sign-on URL, Microsoft Entra ID, and Sign-out URL.
See also the Microsoft article on configuring SAML in Entra for in-depth context.
Signing in with SSO
End users choose “Sign in with SSO” on the login screen. With a direct URL you can make this even easier:
Auto-detection
The user enters their email once. A cookie remembers it on subsequent visits.
PROD: https://app.gfacility.com/login/sso?email=auto
UAT: https://uat.gfacility.com/login/sso?email=auto
Specific URL
Pass the email in the URL (e.g. via your intranet) — the user does not have to enter anything.
PROD: app.gfacility.com/login/[email protected]
UAT: uat.gfacility.com/login/[email protected]