Connecting to Neara with Single Sign-On (SSO) allows users to log in and access Neara project resources using their organization's preferred identity provider.
This gives IT teams oversight of access management, and for users it means no new passwords to remember and simpler access to projects.
To enable SSO support on your Neara organization account, contact your Customer Success Manager
Supported providers
Neara currently supports providers that use OAuth2 including:
Microsoft Entra ID / Microsoft Azure Active Directory
Google Workspace
Okta
SSO redirect URIs
OAuth requires that an organization's SSO configuration whitelists the redirect URIs that are used during the login flow.
Neara SSO redirects vary by region and include a number of URIs. All must be included in your internal Neara SSO configuration in Microsoft Azure, Google Workspace, Okta, etc.
Your Customer Success Manager will provide your organization's code. In the following URIs, replace <org_code> with that value.
If your organization accesses Neara using a domain that is not listed below, for example https://app.acme-engineering.neara.com, contact your Customer Success Manager. They will provide you with a set of domain-specific Redirect URIs.
North America
These are suitable for organizations that access Neara using https://app.us.neara.com domain
https://app.us.neara.com/sso
https://latest.us.neara.com/sso
https://fabric.us.neara.com/sso
https://idp.us.neara.com/realms/neara/broker/<org_code>/endpoint
Australia & New Zealand
These are suitable for organizations that access Neara using https://app.neara.com domain
https://app.neara.com/sso
https://latest.neara.com/sso
https://edge.neara.com/sso
https://dev-mousey-1.neara.com/sso
https://idp.neara.com/realms/neara/broker/<org_code>/endpoint
https://idp.au.neara.com/realms/neara/broker/<org_code>/endpoint
https://sit.neara.com/sso
Europe
These are suitable for organizations that access Neara using https://app.eu.neara.com domain
https://app.eu.neara.com/sso
https://latest.eu.neara.com/sso
https://fabric.eu.neara.com/sso
https://idp.eu.neara.com/realms/neara/broker/<org_code>/endpoint
Client ID and Secret
Your Customer Success Manager will require the following information from your IT administrator to complete your SSO setup:
CLIENT_IDCLIENT_SECRET
Instructions for obtaining these for specific providers are included below.
Provider setup instructions
Microsoft Entra ID / Azure Active Directory
Register a new Enterprise App at in the Azure portal: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
Alternatively, access the Azure portal with administrative credentials and search for Microsoft Entra ID (or Azure Active Directory) in the search bar, and then register a new Enterprise App.
In the Redirect URI section:
Select
Webas the platformAdd one (1) of the redirect URIs from the list above. At this stage, it does not matter which URI, they will all be added in a later step.
Once registered, select the newly-created App from App Registrations, and select Authentication.
Under Platform Configurations add all the redirect URIs for your region, from above. Under Implicit grant and hybrid flows ensure that the ID tokens checkbox is checked:
Go to Token Configuration and add the following optional claims for ID tokens, accepting the requested permissions:
given_namefamily_nameemail
Go to API permissions and add the openid permission under Microsoft Graph:
Under Certificates & secrets create a new secret and securely note its value. Client secret values cannot be viewed, except for immediately after creation.
We need the secret's value, not the secret ID
Provide your tenantId, clientId , clientSecret and clientSecretExpiryDate to your Customer Success Manager.
The clientSecret is a sensitive value. It should not be shared in plain-text email or sent in other insecure formats.
Google Workspace
Go to the Google Cloud Platform Console. From the projects list, select a project or create a new one.
Navigate to APIs & services in the left hand menu or by searching for it and then select Credentials. At the top of the page, click Create Credentials and select OAuth client ID.
Set the application type to Web Application and provide it with a name e.g. Neara SSO.
Under the heading Authorized Redirect URIs add all the redirect URIs provided above for the relevant region.
Click Create -- a popup with display the clientId and clientSecret. Record those securely so that you can provide them to your Customer Success Manager.
The clientSecret is a sensitive value. It should not be shared in plain-text email or sent in other insecure formats.
Finally, in the left hand menu, select OAuth consent screen and ensure that the User type is set as Internal.
Okta
Create a new Application in Okta (Applications β Create App Integration):
Select the sign-in method as OIDC - OpenID Connect and set the application type to: Web Application.
Give the application a name (e.g. Neara-SSO), and allow the application to issue refresh tokens.
Add all the redirect URIs for your region, from above.
Under Assignments select which group you would like to SSO into Neara, or potentially you wish to allow everyone in your organisation access:
Provide your oktaDomain, clientId, clientSecret and clientSecretExpiryTime to your Customer Success Manager.
The clientSecret is a sensitive value. It should not be shared in plain-text email or sent in other insecure formats.
Triggering the SSO authentication flow
Once the above setup has been completed in your organization, and Neara has added your configuration to your account, either:
Attempt to login directly at https://app.neara.com/powerapp which will redirect you to
https://app.neara.com/powerapp?<org_code>Navigate directly to
https://app.neara.com/powerapp?<org_code>
Your Customer Success Manager will provide your organization's code. In the above URLs, replace <org_code> with that value.
Using the Neara API with SSO
The standard Neara API authentication method only works for users that do not authenticate with SSO.
Users that authenticate with SSO must provide their API token directly. This can be obtained in the Neara app in Home screen > Settings > API
Troubleshooting
Browser popups on Neara domains must be allowed
When a user goes to e.g. https://app.us.neara.com/powerapp?<org-code> nothing happens
The SSO process in Neara requires popups in the web browser.
This information should be communicated to Neara users in your organisation to avoid confusion and inability to access projects.
To enable popups in Google Chrome:
In the URL bar go to
chrome://settings/content/popupsUnder the Allowed to send pop-ups and use redirects heading add
[*.]neara.comYou can just add the individual URLs e.g.
https://app.us.neara.com-- the[*.]neara.comallows popups on all Neara subdomains
To enable popups in the Microsoft Edge browser, go to: edge://settings/privacy/sitePermissions/allPermissions/popups and follow the same instructions.
To enable popups in the Brave browser, go to: brave://settings/content/popups and follow the same instructions.
Content blockers
Adblockers and other browser content blockers may interfere with the SSO flow and other Neara user features. See: Limitations when using content blockers
The SSO flow starts, but authentication doesn't complete
The most likely causes are:
The Redirect URIs are not correctly configured in your organization's setup for Neara SSO. Check the URIs listed in your configuration match those listed above and are for the correct region.
Configuration on the Neara side is incorrect. Contact your Customer Success Manager for assistance.
The SSO flow starts, authentication completes successfully with your SSO provider, but fails to access the Neara project
There are a number of potential causes. Contact your Customer Success Manager who will do further analysis with you.