Single Sign-On (SSO) with Ari Business Cloud

Ari Business Cloud supports Single Sign-On (SSO), allowing your company users to sign in with their existing corporate credentials instead of managing a separate password.

Supported Identity Providers

Provider	Account type supported
Microsoft Azure AD / Entra ID	Work or school accounts (Microsoft 365, Entra ID). Personal Microsoft accounts are not supported.
Google	Google Workspace accounts.
Apple	Apple ID.

Prerequisites

Before your users can use SSO:

Users must already have an account in your Ari Business Cloud workspace (created by an admin, or via an invite email).
The email address on their Ari Business Cloud account must exactly match the email address on their Microsoft, Google, or Apple account.

How SSO Works

First Login — Pairing

The first time a user signs in via SSO:

User navigates to the Ari Business Cloud login page and enters the workspace name.
User clicks Sign in with Microsoft (or Google / Apple).
User authenticates with their corporate IdP.
Ari Business Cloud matches the returned email address to an existing account in the workspace.
If a match is found, the user is prompted to pair their SSO account. Once paired:
- The existing password on the account is permanently removed.
- All future logins for that account use SSO only.
If no match is found, the user sees: "Your account cannot be found — contact your administrator."

Password removal is permanent. Once an account is paired to SSO, it cannot have both an active password and an SSO link at the same time. If the user resets their password via "Forgot Password", the SSO link is severed and they must re-pair.

Subsequent Logins

After pairing, the user clicks Sign in with Microsoft (or Google / Apple) and is signed in directly — no further prompts.

Multiple Workspaces

If a user's SSO account is linked to accounts in more than one Ari Business Cloud workspace, they are prompted to choose which workspace to enter after authenticating.

Microsoft Azure AD / Entra ID — IT Admin Notes

Ari Business Cloud uses a multi-tenant Microsoft application registered as "RealWear" (Application ID: f07562d5-9e44-44de-95ae-b8d60d2bdfe5). Your organization does not need to register an application in Azure AD — users will see "RealWear" on the Microsoft consent screen when signing in for the first time.

Conditional Access

If your organization enforces Azure AD Conditional Access policies (e.g. device compliance, MFA, location-based access), these will be evaluated when users sign in to Ari Business Cloud. To ensure users are not blocked:

Find the application "RealWear" (App ID: f07562d5-9e44-44de-95ae-b8d60d2bdfe5) in your Azure AD tenant's Enterprise Applications list.
Review any Conditional Access policies that apply to it and adjust as needed for your organization's requirements.

Email Domain Verification

Microsoft must confirm that the user's email domain is verified in your Azure AD tenant (via the xms_edov claim). If this verification is absent, the login will be rejected with an error. This is controlled by Microsoft — contact Microsoft support if users encounter this issue.

Data Requested

Ari Business Cloud requests only the email scope from Microsoft. No access to mailbox, calendar, files, or other Microsoft services is requested or granted.

Google Workspace — IT Admin Notes

No Google Workspace configuration is required. If your organization has restricted third-party OAuth app access via the Google Workspace Admin Console (Security → API controls → App access control), ensure the Ari Business Cloud Google OAuth client (1043086860007-s2r6q8p656c6h8lnc6hg94tvk9c4pdpj.apps.googleusercontent.com) is on the allowlist.

Inviting New Users with SSO

When an admin invites a new user to the workspace by email:

The user receives the invite email.
On the invite acceptance page, the user can click Accept via Microsoft to link their SSO account at the same time.
The Microsoft account email must exactly match the invite email address.

If the SSO email differs from the invited email, the user is shown both addresses and must confirm the change. The workspace admin is notified that the invite was accepted by a different email address.

Current Limitations

No enforced SSO: Admins cannot currently force all workspace users to log in via SSO. Users choose individually whether to pair their account.
No custom SAML or custom OIDC: Ari Business Cloud does not support bring-your-own-IdP integrations. Only Microsoft, Google, and Apple are supported.
No tenant-level domain restriction: Any Microsoft organizational account whose email matches a workspace user can authenticate. There is no per-workspace "allow only @acme.com" restriction.

Troubleshooting

Error	Likely cause	Resolution
Your account cannot be found — contact your administrator	SSO email does not match any account in the workspace	Admin: verify the user's email in the workspace exactly matches their Microsoft / Google / Apple email
Your email address could not be verified	Microsoft email domain not verified (`xms_edov` = false)	Contact Microsoft support — this is an Azure AD tenant configuration issue
User cannot log in after resetting password	Password reset severed the SSO link	User must re-pair: log in via SSO again and complete the pairing step
Blocked by Conditional Access policy	Azure AD policy blocking the "RealWear" application	IT admin: locate "RealWear" (`f07562d5-9e44-44de-95ae-b8d60d2bdfe5`) in Enterprise Applications and adjust the relevant CA policy
Invite accepted but wrong email linked	SSO email differs from invite email	User must confirm email change on the invite page; admin is notified automatically

Data Received During SSO

When a user authenticates via SSO, Ari Business Cloud receives and stores:

Email address
Given name and family name (if provided by the IdP)
External subject ID (opaque identifier from the IdP, used to match the account on future logins)

No other data from Microsoft, Google, or Apple is accessed or stored.