Prerequisites
Ensure you have all of the following before you start:
Administrator access to your Microsoft Entra tenant.
Administrator access to your NowGo account.
A configured NowGo subdomain.
SCIM already configured between Microsoft Entra and NowGo.
Target users or groups identified for end-to-end testing.
Guide outcomes
When you complete this guide, you have:
Connected NowGo to Microsoft Entra using an OIDC integration
Entered the NowGo callback URI in Entra.
Saved the Entra OIDC credentials and OAuth2 Base URL in NowGo.
Provisioned and assigned users
Assigned target users to the Entra OIDC application
Verified the integration
Aligned OIDC identity claims with corresponding SCIM user values.
Completed an end-to-end SSO test with an assigned user.
‼ Important: A user can successfully authenticate but still be denied access in NowGo if they do not have the right IAM grants. SCIM provisioning and IAM group grants control authorisation; OIDC SSO controls authentication.
NowGo callback URI
When configuring Microsoft Entra for OIDC SSO, provide a redirect URI supplied by NowGo. Microsoft Entra sends the authentication code to this URI after a user signs in. Find this value displayed on the SSO Subdomain Settings page.
The expected format is
<https://<your-subdomain>>.onpremonition.com/iam/sign-in/oauth2/continue>
For example, if your chosen subdomain is customer, your redirect URI is
<https://customer.onpremonition.com/iam/sign-in/oauth2/continue>
‼ Important: Enter this exact callback URI in your Entra application's sign-in redirect URIs. Using the wrong URI results in sign-in errors.
Configuring Microsoft Entra
This section describes how to create the SSO app registration in Microsoft Entra.
In the Microsoft Entra admin center, navigate to Identity, Applications, and then App registrations.
Click New registration.
Type a descriptive name, such as NowGo SSO Integration, in the Name field.
Under the Supported account types heading, select the appropriate directory option for your organization.
Under the Redirect URI heading, select Web from the dropdown menu, and paste your NowGo callback URI.
Click Register.
In the app's left menu, navigate to Certificates & secrets, and then click New client secret.
Add a description, choose an expiry, and click Add.
Copy the Value of the client secret immediately, because it is hidden after you leave the page.
Copying credentials to NowGo
This section describes how to transfer your new Microsoft Entra app credentials into your NowGo settings.
From the Microsoft Entra app's Overview page, copy the Application (client) ID.
From the same page, copy your Directory (tenant) ID.
In NowGo, navigate to Settings, select Accounts & Security, and click SSO Credentials.
Type a descriptive name in the Label field (for example, Entra OIDC).
Paste the Microsoft Entra Application (client) ID in the Client ID field.
Paste the Microsoft Entra client secret value in the Client secret field.
Type your Microsoft Entra base URL in the OAuth2 Base URL field using this exact format: <https://login.microsoftonline.com/<your-tenant-id>>//oauth2/.
Important: NowGo uses the OAuth2 Base URL to construct requests to the OAuth2 server. The URL entered in NowGo must end with a trailing slash (/).(Optional) Check the Require reauthentication checkbox to force a credential prompt on each sign-in attempt.
Click Save changes.
User assignment and validation
This section describes how to assign users to your Microsoft Entra OIDC application and verify that Microsoft Entra sends the correct identity values to NowGo.
Assigning users in Microsoft Entra
In the Microsoft Entra admin center, navigate to Enterprise applications and select the NowGo app you created.
Navigate to Users and groups, and then click Add user/group.
Select and assign the users or groups who need to use this Microsoft Entra OIDC application.
Cross-check that those same users or groups are also included in the Microsoft Entra SCIM provisioning scope for NowGo. Depending on your Microsoft Entra setup, this may mean assignment to a NowGo SCIM enterprise application, membership in a SCIM-synced group, or another provisioning rule.
Verify those same users exist in NowGo through SCIM. Check the Resources -> Drivers page for a driver row matching this user.
Verify those users are members of NowGo IAM groups that grant the required access. Check the Settings -> Accounts and Security -> IAM Groups page.
Verifying OIDC claims in Microsoft Entra
Microsoft Entra does not have a built-in token preview tool. To verify that the correct claims are configured:
In the Microsoft Entra admin center, navigate to Identity, Applications, and then App registrations.
Select your NowGo application.
Under the Manage menu, select Token configuration.
Review the configured claims to ensure email and preferred_username are included.
If they are missing, click Add optional claim.
Select ID for the token type.
Select the email and preferred_username claims, and click Add.
During testing, confirm the email claim contains the same email address as the user's SCIM primary email.
Confirm the preferred_username claim matches their SCIM userName where possible.
‼ Important: A mismatch between the OIDC preferred_username claim and the SCIM userName value causes downstream issues when you update user details using SCIM.
Verifying the integration
This section describes how to test your completed SSO workflow.
Choose a target user assigned to the Microsoft Entra OIDC application.
Confirm that user is included in the Microsoft Entra SCIM provisioning scope for NowGo.
Confirm that user exists in NowGo through SCIM.
Confirm that user belongs to IAM groups that grant the required access.
Log out of NowGo.
On the sign-in page, click Sign On with SSO.
Type your NowGo org subdomain.
Complete the sign-in flow in Microsoft Entra.
Confirm you return to NowGo and access the expected dashboard or app area.
Expected negative outcomes
These outcomes are expected and indicate authorisation configuration issues rather than OIDC protocol failures. Successful SSO can still lead to limited or no useful product access when IAM grants are missing or incomplete.
User authenticates but cannot sign in to the NowGo mobile app: The user is created but lacks driver permissions. If the user was added using SCIM, check that they are a member of an IAM group with the Users in group can access app setting enabled.
User authenticates and signs in to NowGo Dashboard, but sees only an Account Settings page: The user is created but lacks dashboard permissions. If the user was added using SCIM, check that they are a member of an IAM group with the Users in group can access dashboard setting enabled.
This behaviour matches the IAM factsheet: successful SSO can still lead to limited or no useful product access when IAM grants are missing or incomplete.
IAM state caveats
Authorisation outcomes are determined by two separate control types. Because these controls are independent, users can authenticate successfully but still see different access outcomes depending on the combination.
Account-level enablement (manual account status):
Dashboard users: Account is active in Settings -> User accounts.
Driver users: Account enabled in Resourcing -> Drivers.
IAM-group authorisation (SCIM/IAM policy):
Dashboard access: Users in group can access dashboard.
Driver app access: Users in group can access app.
Account toggle | IAM group access toggle | What admins see | Likely user experience | What to check next |
ON | ON | User account is active and IAM group grants access. | Sign in works as expected. | If access fails, check the Troubleshooting reference tables. |
ON | OFF | User account is enabled but access is not managed by IAM groups. | Sign in works as expected. | Modifying IAM groups does not impact these users. Check SCIM groups if needed. |
OFF | ON | IAM groups grant access, but individual users show as disabled. | Sign in works as expected. | This is the expected configuration state for users provisioned using SCIM. |
OFF | OFF | User account is inactive and IAM group does not grant access. | User is treated as deactivated. | Re-enable the account or restore required IAM group grants to restore access. |
Troubleshooting
Use these user-visible phases to diagnose SSO issues:
After clicking sign in, but before reaching Microsoft Entra.
After signing in with Microsoft Entra.
Post-redirect outcome.
Mobile app troubleshooting
Phase | What the user sees | Most likely cause | What admin should check |
1 | Invalid Subdomain alert | Unknown subdomain, or org lacks an IAM identity provider. | Confirm the subdomain is correct and SSO credentials exist in NowGo. |
1 | App does not proceed to IdP | Invalid redirect setup generated at sign-in start. | Confirm callback values are configured consistently for the tenant. |
2 | Invalid Login Details alert | App did not receive an authorisation code on redirect. | Verify Entra app assignment and check the redirect URI format. |
2 | Single Sign-on failed alert | Failed code exchange or expired authorisation code. | Retry logging in; verify no proxy layer is modifying query parameters. |
2 | Generic auth failure alert | OAuth2 credential mismatch between NowGo and Entra. | Re-check NowGo SSO values and verify the OAuth2 Base URL ends with a slash. |
3 | Sign in fails with account message | Driver account is not eligible for app access. | Check driver status in NowGo (enabled, not expired). |
3 | Signed in but limited access | Authentication succeeded; authorisation is missing. | Confirm IAM group grants for driver access. |
3 | Redirects to unexpected flow | Callback destination mismatch. | Reconcile all redirect values across subdomain and Entra settings. |
Web app troubleshooting
Phase | What the user sees | Most likely cause | What admin should check |
1 | Invalid subdomain alert | Subdomain contains invalid characters. | Re-enter only the org subdomain value (no protocol or full domain). |
1 | Does not reach IdP sign-in | Unknown subdomain, or org lacks SSO configuration. | Confirm the subdomain exists and SSO credentials are saved in NowGo. |
2 | Returns to sign-in page | Dashboard callback did not include authorisation code. | Verify Entra sign-in redirect URI points to the correct tenant subdomain. |
2 | Connection trouble alert | Network failure during sign-in completion. | Check browser connectivity and confirm NowGo API is reachable. |
2 | Authentication failed alert | OIDC authorisation code flow failed. | Retry logging in; re-check Client ID, Client secret, and OAuth2 Base URL. |
2 | Account deactivated alert | User lacks an active IAM user in NowGo. | Confirm the user exists in NowGo, then re-provision access grants. |
3 | Signed in but limited access | Authentication succeeded; authorisation is missing. | Confirm IAM group grants for dashboard access. |
3 | Redirects to unexpected flow | Callback destination mismatch. | Reconcile NowGo subdomain settings and Entra callback values. |
Final checklist
Before going live, confirm the guide has helped you reach and verify this end state:
Microsoft Entra app is configured as an OIDC Web application with Authorization Code flow.
Redirect URI is entered exactly and matches the NowGo callback format.
NowGo SSO credentials are saved with a valid Microsoft Entra OAuth2 Base URL.
Microsoft Entra OAuth2 Base URL ends with a trailing slash (/).
Target users or groups are assigned to the Microsoft Entra OIDC application.
Those same users are included in the Microsoft Entra SCIM provisioning scope for NowGo.
OIDC email claim contains the user's email address.
OIDC preferred_username claim is mapped to the same value as SCIM userName where possible.
SCIM sync is active and target users exist in NowGo.
IAM group grants are set for all required user personas.
At least one end-to-end test succeeds with a real assigned user.