How To Setup SSO
This guide covers how to setup single-sign-on (SSO) for organisations that have SSO as part of their licence agreement.
Determine Ownership
As part of setting up SSO for your organisation, we need to confirm who will own and manage the Entra App Registration used for authentication. You can choose between two supported models (which both support the same SSO experience for end users):
Option 1 – You own the App Registration (Your Entra Tenant)
Your team creates and manages the App Registration in your Entra tenant
You retain full control over permissions, secrets, and lifecycle
Requires a bit more setup and ongoing management from your side
Option 2 – Great Wave AI owns the App Registration (Multi-Tenant)
Great Wave AI manages the App Registration in our tenant
Your team manages users and groups only
You approve an admin consent link to connect your tenant
Faster setup with lower ongoing overhead
Option 1 - You own the App Registration (Your Entra Tenant)
In this setup, your organisation creates and manages the App Registration in your own Entra (Azure AD) tenant. Great Wave AI consumes the details you provide to enable SSO into the platform.
Create Entra Groups
In your Entra tenant, create three security groups, using your organisation’s naming convention:
Platform Users
Platform Administrators
Agent Users (anyone who will only use an agent)
Add your users into the correct groups.
Share Group IDs
For each of the three groups you created, please provide the Group IDs to Great Wave AI.
These are needed so we can configure the roles correctly in the platform.
Create an App Registration
Sign in to your Entra tenant and create a new App Registration.
Use the following redirect URI:
<frontend>/ms-response
Under Token Configuration, enable Group Claims.
Under API Permissions, add:
GroupMember.Read.AllUser.Read
Share App Registration Details
From the App Registration, please provide Great Wave AI with:
Client ID
Client Secret
Tenant ID (or your primary domain name, e.g.
contoso.onmicrosoft.com)
Final Configuration & Testing
Great Wave AI will configure the platform with your App Registration details and group IDs. Once this is done, we’ll complete testing to ensure SSO is working correctly.
Option 2 – Great Wave AI owns the App Registration (Multi-Tenant)
In this setup, Great Wave AI manages the App Registration in our tenant. Your organisation manages your Entra groups and approves the connection to your tenant.
Create Entra Groups
In your Entra tenant, create three security groups, using your organisation’s naming convention:
Platform Users
Platform Administrators
Agent Users (anyone who will only use an Agent)
Add your users into the correct groups.
If your security allows, please also create accounts for your Great Wave AI enablement team and add them to your Platform Administrators group. This ensures that the enablement team can support you in the most effective way.
Share Group IDs
For each of the three groups you created, please provide the Group IDs to Great Wave AI.
These are needed so we can configure the roles correctly in the platform.
Share Tenant Details
Please also provide either:
your Tenant ID (preferred), or
your primary domain name (e.g.
contoso.onmicrosoft.com).
Great Wave AI will use this information to generate your admin consent link.
Approve App Registration
Great Wave AI will create the App Registration in our tenant and send you an admin consent link built for your tenant.
Your Global Administrator must approve this link.
Approval will create an Enterprise Application in your Entra tenant that connects your directory to the hosted platform.
Configure the Enterprise Application
Add the three groups you created earlier into the new Enterprise Application.
Final Configuration & Testing
Great Wave AI will configure the platform (e.g. [company].greatwave.ai) with your group IDs and complete final testing.
Last updated