Skip to main content

Overview

Ekso supports two authentication methods: forms-based login (email and password) and Microsoft Entra ID (single sign-on). You can enable one or both at the same time. Administrators can always sign in with email and password, even if forms authentication is disabled — this prevents system lock-out. Authentication settings are configured under Settings > Authentication.

Forms authentication

Forms authentication lets users sign in with an email address and password. When active, Ekso enforces password policies and optionally requires two-factor authentication.

Password policies

Password policies control the complexity and lifecycle of user passwords. Ekso also prevents password reuse — users cannot set a new password that matches their previous password.

Two-factor authentication

When enabled, Ekso sends a verification code to the user’s email address after they enter their password. The user must enter this code to complete sign-in.
Two-factor codes are sent by email, not SMS or authenticator app. Make sure your mail configuration is working before enabling 2FA.

Microsoft Entra ID

Microsoft Entra ID (formerly Azure Active Directory) enables single sign-on for organizations on Microsoft 365. Users sign in with their Microsoft account instead of a separate Ekso password. To connect Entra ID, you need:
Use Entra ID if your organization is on Microsoft 365. It removes the need for separate passwords and supports your organization’s conditional access policies.

Setting up Entra ID

1

Register an application

In the Microsoft Entra admin center, go to App registrations+ New registration (or select an existing app). Note the Application (client) ID and Directory (tenant) ID from the app’s overview page.
2

Add an SPA redirect URI

Open the app’s Authentication blade → + Add a platformSingle-page application, then add the following redirect URI:
Replace ekso.acme.com with your Ekso install’s hostname — the PublicUrl you set during the /startup wizard (for example, https://ekso.acme.com/auth/entra/callback). Entra requires an exact match — scheme, host, and path must all line up — so add a separate entry for each install URL you sign in from (production, staging, dev, and so on).
The Single-page application platform type configures Entra for the OAuth 2.0 authorization code flow with PKCE, which is what Ekso’s frontend uses. Do not register the same URL under the Web platform — that flow expects a server-side client secret and will fail for a browser app.
3

Add API permissions

Click API permissions+ Add a permissionMicrosoft GraphDelegated permissions. Add the following permissions:
These are Delegated permissions — they act on behalf of a signed-in user during the SSO login flow. They do not require admin consent. If you also use Ekso’s mailbox connection, the same app registration will need additional Application permissions for mail access.
4

Configure in Ekso

Go to Settings > Authentication > Microsoft Entra and enter the tenant ID and client ID.
5

Enable the integration

Toggle Active on. Users can now sign in with their Microsoft account.
If you disable forms authentication while Entra ID is not properly configured, non-administrator users will be unable to sign in. Administrators can always sign in with email and password as a safety mechanism.

How authentication methods work together

You can run both authentication methods at the same time. When a user signs in:
  • If only forms is active, users sign in with email and password
  • If only Entra is active, users are redirected to Microsoft for sign-in (administrators can still use email and password)
  • If both are active, users can choose either method