Welcome to Intric Support Center
Technical Documentation
SSO and User Groups

SSO and User Groups

This section is for those who administer your Identity Provider (IdP), for example Entra ID (Azure AD), Okta or Google. Learn how to configure Single Sign-On (SSO) and user groups for Intric.

SSO Setup (Single Sign-On)

Intric uses OIDC (OpenID Connect) for login, which makes it possible for your users to log in with their existing organization accounts.

Information you need to send to Intric

For Intric to be able to configure SSO against your IdP, you need to provide:

  • Issuer: URL to the issuer (e.g., https://login.microsoftonline.com/{tenant-id}/v2.0)
  • Client ID: Your client ID from IdP
  • Client Secret: Your client secret from IdP

Configuration on your side (in your IdP)

In your Identity Provider, you must whitelist the following callback URL:

https://login.intric.ai/ui/login/login/externalidp/callback

This allows Intric to receive login confirmations from your IdP.

User Groups

User groups are collections of users in your company’s user system. In Intric, you can use these groups to easily manage access to Spaces for multiple users at once, instead of inviting each user individually.

How it works

When a user logs in to Intric, information about which groups they belong to is automatically fetched from your existing system. A user who is a member of a user group that has been given access to a Space then automatically gets access to the published assistants in the Space when the person logs in to Intric.

Configuration and functionality

How does the configuration work?

For user groups to work in Intric, your system needs to send group information when users log in. This is done through something called a “groups claim” in the login token.

Technical detail: Token must contain a key called “groups” with a list of group names:

"groups": ["group 1", "group 2", "group 3"]

Important requirements for group configuration

✅ Correct format:

  • The key must be exactly groups
  • The value should be a flat list with text strings
  • Example: ["Group 1", "Group 2", "Group 3"]

❌ Incorrect format:

  • Avoid nested structures
  • Example of error: ["group1": ["group1.1", "group1.2"], "group2": ["group2.1"]]
  • Note: Nested groups in themselves are fine in your system, as long as the list sent to Intric is flat

How groups are created and updated

  • Automatic handling: Groups are automatically created in Intric the first time a user logs in who belongs to them
  • Update: Group membership is updated every time a user logs in
  • Note: We do NOT use Microsoft’s GraphAPI for this functionality; everything is based on the information in the token

Important limitations to be aware of

1. Group identifiers cannot be changed

The text strings sent from your system are used as unique identifiers in Intric.

  • If you change from group names to object ID (or vice versa), Intric sees this as completely new groups
  • Example: If you switch from “IT-support” to “12345-abcde”, a new group is created, and the connections to the old group disappear

2. Removal of groups (Scenario example)

Here’s a common scenario that can cause confusion:

  1. Görgen configures the IdP to send all 10 groups on the token, but actually only wants 3 of them
  2. Lina logs in to Intric and belongs to all 10 groups in the IdP
  3. Görgen sees that all 10 groups have been created in Intric
  4. Görgen removes the 7 groups he doesn’t want in Intric
  5. Görgen changes the configuration in the IdP so that only the 3 desired groups are sent on the token
  6. Lina (who is still logged in) does something in Intric that triggers group synchronization
  7. Intric sees that there are groups that Lina belongs to (from her session) that no longer exist in the system → Intric creates them again
  8. Görgen sees that the groups appear again: “But I removed them!”

Solution: Lina must log out and in again for her session and group membership to correctly reflect the new configuration.

Important considerations (Entra ID)

If you use Microsoft Entra ID (Azure AD), consider the following:

  • Security groups: Do NOT choose “Security groups” as source if you don’t want all security groups in your entire Entra ID to appear in Intric
  • Group names vs Object ID: By default, Object ID for groups is sent. If you want real group names to be displayed in Intric, you need to configure the application manifest in Entra ID

Tip: Contact Intric support for specific guidance on this configuration.

Recommendations and best practices

Planning before implementation

  • Decide which groups are needed in Intric before you start
  • Configure your system to only send these groups from the start
  • Test with a test user before full-scale rollout

Avoid common pitfalls

  • ⚠️ Don’t send more groups than necessary
  • ⚠️ Don’t change group identifiers after implementation
  • ⚠️ Test all changes in development environment first

If problems occur

  • Check that token contains correct "groups" claim
  • Verify that group names/IDs are stable
  • Ask users to log out and in again after configuration changes

Step-by-step guide for setup

  1. Prepare your IdP

    • Decide which groups should be synced
    • Configure groups claim to send these groups
    • Verify that the format is correct (flat list)

  2. Gather information

    • Issuer URL
    • Client ID
    • Client Secret
    • Whitelist callback URL

  3. Send to Intric

    • Contact Intric support with the information
    • Intric configures SSO on their side

  4. Test

    • Log in with a test user
    • Verify that groups sync correctly
    • Test access to Spaces

  5. Roll out

    • Inform users that they should now use SSO
    • Monitor logins the first days
    • Adjust as needed

Support

If you encounter problems or have questions about SSO configuration, contact Intric support. We help you with:

  • Troubleshooting SSO connection
  • Configuration of groups claim
  • Entra ID-specific settings
  • Best practice for your organization

Contact information is available in support.