Overview
Ekso supports two authentication methods: forms-based login (email and password) and Microsoft Entra ID (single sign-on). You can enable one or both at the same time. Administrators can always sign in with email and password, even if forms authentication is disabled — this prevents system lock-out. Authentication settings are configured under Settings > Authentication.Forms authentication
Forms authentication lets users sign in with an email address and password. When active, Ekso enforces password policies and optionally requires two-factor authentication.Password policies
Password policies control the complexity and lifecycle of user passwords.
Ekso also prevents password reuse — users cannot set a new password that matches their previous password.
Two-factor authentication
When enabled, Ekso sends a verification code to the user’s email address after they enter their password. The user must enter this code to complete sign-in.Two-factor codes are sent by email, not SMS or authenticator app. Make sure your mail configuration is working before enabling 2FA.
Microsoft Entra ID
Microsoft Entra ID (formerly Azure Active Directory) enables single sign-on for organizations on Microsoft 365. Users sign in with their Microsoft account instead of a separate Ekso password. To connect Entra ID, you need:Setting up Entra ID
1
Register an application
In the Microsoft Entra admin center, go to App registrations → + New registration (or select an existing app). Note the Application (client) ID and Directory (tenant) ID from the app’s overview page.
2
Add an SPA redirect URI
Open the app’s Authentication blade → + Add a platform → Single-page application, then add the following redirect URI:Replace
ekso.acme.com with your Ekso install’s hostname — the PublicUrl you set during the /startup wizard (for example, https://ekso.acme.com/auth/entra/callback). Entra requires an exact match — scheme, host, and path must all line up — so add a separate entry for each install URL you sign in from (production, staging, dev, and so on).The Single-page application platform type configures Entra for the OAuth 2.0 authorization code flow with PKCE, which is what Ekso’s frontend uses. Do not register the same URL under the Web platform — that flow expects a server-side client secret and will fail for a browser app.
3
Add API permissions
Click API permissions → + Add a permission → Microsoft Graph → Delegated permissions. Add the following permissions:
These are Delegated permissions — they act on behalf of a signed-in user during the SSO login flow. They do not require admin consent. If you also use Ekso’s mailbox connection, the same app registration will need additional Application permissions for mail access.
4
Configure in Ekso
Go to Settings > Authentication > Microsoft Entra and enter the tenant ID and client ID.
5
Enable the integration
Toggle Active on. Users can now sign in with their Microsoft account.
How authentication methods work together
You can run both authentication methods at the same time. When a user signs in:- If only forms is active, users sign in with email and password
- If only Entra is active, users are redirected to Microsoft for sign-in (administrators can still use email and password)
- If both are active, users can choose either method