This guide provides step-by-step instructions for setting up Single Sign-On (SSO) authentication for healthcare organisations using Google OAuth and Microsoft Azure AD.
Overview
CheckTick supports healthcare SSO through:
- Google OAuth: For clinicians with personal Google accounts
- Microsoft Azure AD: For hospital staff with organisational Microsoft 365 accounts
- Multi-provider support: Users can authenticate via either method
Prerequisites
Before starting, ensure you have:
- Administrator access to your Azure AD tenant (for Azure setup)
- Owner/Editor access to a Google Cloud Project (for Google setup)
- CheckTick deployment with HTTPS enabled (required for production)
- Access to your CheckTick environment variables
Environment Variables
Add these variables to your .env file:
# Azure AD Configuration
OIDC_RP_CLIENT_ID_AZURE=your-azure-client-id
OIDC_RP_CLIENT_SECRET_AZURE=your-azure-client-secret
OIDC_OP_TENANT_ID_AZURE=your-azure-tenant-id
# Google OAuth Configuration
OIDC_RP_CLIENT_ID_GOOGLE=your-google-client-id
OIDC_RP_CLIENT_SECRET_GOOGLE=your-google-client-secret
# OIDC Protocol Configuration (required)
OIDC_RP_SIGN_ALGO=RS256
OIDC_OP_JWKS_ENDPOINT_GOOGLE=https://www.googleapis.com/oauth2/v3/certs
OIDC_OP_JWKS_ENDPOINT_AZURE=https://login.microsoftonline.com/common/discovery/v2.0/keys
Azure AD Setup (Microsoft 365 Organisations)
Step 1: Register Application in Azure Portal
- Navigate to Azure Portal
- Go to Azure Active Directory > App registrations
- Click New registration
- Configure:
- Name:
CheckTick Healthcare Platform - Supported account types: Accounts in any organizational directory and personal Microsoft accounts
- This is the recommended audience for CheckTick. It allows clinicians to sign in with personal Microsoft accounts (e.g.
outlook.com,hotmail.com) today, and is also ready for future organizational SSO (e.g. NHS Login, hospital M365 tenants) without re-registering the app. - Other options:
- Accounts in this organizational directory only (single tenant): use only if all clinicians belong to one Entra ID tenant. The configured
OIDC_OP_TENANT_ID_AZUREwill be used in endpoint URLs. - Accounts in any organizational directory (multitenant org): work/school accounts only; personal Microsoft accounts will be rejected with
unauthorized_client. - Personal Microsoft accounts only: consumers only; no organizational SSO.
- This is the recommended audience for CheckTick. It allows clinicians to sign in with personal Microsoft accounts (e.g.
- Redirect URI:
- Type: Web (not SPA โ CheckTick is a confidential client that stores a client secret server-side)
- URL:
https://your-checktick-domain.com/oidc/callback/ - Development: Also add
http://localhost:8000/oidc/callback/
Important โ audience changes are not editable on an existing registration. Azure does not allow changing
signInAudiencevia the Manifest editor after creation (you will seeinvalid specified value for property signInAudienceorProperty api.requestedAccessTokenVersion is invalid). To switch audiences, create a new app registration with the desired account type selected at creation time. Azure automatically setsrequestedAccessTokenVersion: 1for the personal+org audience โ no manifest editing is required.Token version note: The personal+org audience requires access token version 1. This only affects the format of access tokens sent to Graph; the OIDC ID tokens that
mozilla-django-oidcvalidates are still v2.0 RS256 and are validated against the v2.0 discovery/keys endpoints. No code changes are required.
Step 2: Configure Application Settings
- Authentication tab:
- Under Redirect URIs, ensure your callback URLs are listed (platform type Web)
- Front-channel logout URL:
https://your-checktick-domain.com/accounts/logout/ -
Implicit grant and hybrid flows: Leave unchecked (CheckTick uses authorization code flow)
-
Certificates & secrets tab:
- Click New client secret
- Description:
CheckTick OIDC Secret - Expires: Choose appropriate duration (24 months recommended)
-
Copy the secret value (this is your
OIDC_RP_CLIENT_SECRET_AZURE) -
API permissions tab:
- Ensure these delegated permissions are present:
openid(OpenID Connect sign-in)profile(View users' basic profile)email(View users' email address)User.Read(Read user profiles)
- Click Grant admin consent if you have admin rights
- These permissions work for both personal and organizational accounts
Step 3: Note Configuration Values
From the Overview tab, copy:
- Application (client) ID โ
OIDC_RP_CLIENT_ID_AZURE - Directory (tenant) ID โ
OIDC_OP_TENANT_ID_AZURE
Tenant ID usage: CheckTick uses
OIDC_OP_TENANT_ID_AZUREto build the Azure authorize/token/JWKS endpoint URLs. For the recommended personal+org audience, the tenant placeholder/common/is used at runtime (the configured tenant ID is still required for documentation and for future single-tenant deployments). IfOIDC_OP_TENANT_ID_AZUREis empty, CheckTick falls back to/common/.
Step 4: Configure External User Access (Optional)
For guest users (external clinicians):
- Go to Azure AD > External Identities > External collaboration settings
- Under Guest user access, ensure appropriate permissions
- Under Guest invite settings, configure as needed
Google Cloud Setup (Personal Google Accounts)
Step 1: Create Google Cloud Project
- Navigate to Google Cloud Console
- Create a new project or select existing:
- Project name:
CheckTick Healthcare SSO - Organisation: Your healthcare organisation (if applicable)
Step 2: Enable APIs
- Go to APIs & Services > Library
- Search and enable:
- Google+ API (or People API)
- OpenID Connect API
Step 3: Configure OAuth Consent Screen
- Go to APIs & Services > OAuth consent screen
- Choose External (unless using Google Workspace)
- Configure:
- App name:
CheckTick Healthcare Platform - User support email: Your healthcare IT support email
- App domain: Your CheckTick domain
- Authorized domains: Add your CheckTick domain
- Developer contact: Your IT contact email
- Scopes: Add
openid,email,profile - Test users: Add clinician emails for testing
Step 4: Create OAuth Credentials
- Go to APIs & Services > Credentials
- Click Create Credentials > OAuth 2.0 Client IDs
- Configure:
- Application type: Web application
- Name:
CheckTick Healthcare SSO - Authorized redirect URIs:
- Production:
https://your-checktick-domain.com/oidc/callback/ - Development:
http://localhost:8000/oidc/callback/
- Production:
Step 5: Note Configuration Values
Copy the generated:
- Client ID โ
OIDC_RP_CLIENT_ID_GOOGLE - Client Secret โ
OIDC_RP_CLIENT_SECRET_GOOGLE
Deployment Configuration
Update Environment Variables
- Add all OIDC variables to your production
.envfile - Restart your CheckTick application:
bash
docker compose restart web
Verify Configuration
- Navigate to your CheckTick login page
- You should see:
- "Sign in with Google" button
- "Sign in with Microsoft" button
- Traditional email/password login
Test Authentication
- Test Google SSO:
- Click "Sign in with Google"
- Authenticate with a Google account
-
Verify user creation and login
-
Test Azure SSO:
- Click "Sign in with Microsoft"
- Authenticate with a Microsoft 365 account
- Verify user creation and login
OIDC Encryption Integration
Automatic Survey Unlocking
CheckTick now supports automatic survey unlocking for OIDC users. This feature:
- Eliminates manual key entry for SSO users
- Seamlessly integrates with existing password/recovery phrase encryption
- Maintains security through OIDC identity-based key derivation
- Preserves backward compatibility with traditional encryption methods
How It Works
When creating an encrypted survey:
- Dual encryption is set up with password + recovery phrase (as usual)
- OIDC encryption is automatically added if the user has SSO authentication
- Same survey key is encrypted three ways:
- With user's password
- With recovery phrase
- With OIDC identity (automatic)
When unlocking a survey:
- OIDC users are automatically unlocked when they sign in
- Fallback options remain available (password/recovery phrase)
- Non-OIDC users use traditional unlock methods
User Experience
For OIDC Users:
- Create survey โ Automatic encryption setup
- Access survey โ Automatic unlock (no manual key entry), including surveys that collect patient data
- Green success message: "Survey automatically unlocked with your Google/Microsoft account"
- Optional: choose SSO + Recovery Phrase during encryption setup for a manual fallback
For Traditional Users:
- Standard password/recovery phrase workflow unchanged
- Can upgrade to OIDC authentication to gain automatic unlock
Security Model
Key Derivation:
OIDC Key = PBKDF2(
provider:subject, # "google:12345" or "azure:user@hospital.org"
user_salt, # Unique 32-byte salt per user
100000 iterations # Same strength as password encryption
)
Encryption Flow:
- Survey KEK encrypts all patient data
- KEK is encrypted with OIDC-derived key
- Encrypted KEK stored in
survey.encrypted_kek_oidc - User's salt stored in
UserOIDC.key_derivation_salt
Access Control:
- Only the exact OIDC identity can decrypt
- Provider + subject must match exactly
- Different providers/accounts cannot cross-decrypt
Implementation Details
Model Changes:
Survey.encrypted_kek_oidc: OIDC-encrypted survey keySurvey.has_oidc_encryption(): Check if OIDC unlock availableSurvey.unlock_with_oidc(user): Automatic unlock methodUserOIDC.key_derivation_salt: Unique salt per OIDC user
View Integration:
survey_create: Automatically adds OIDC encryption for SSO userssurvey_unlock: Attempts automatic unlock before manual methods- Audit logging for all unlock methods including OIDC
Template Updates:
- Automatic unlock notification for OIDC users
- Visual indicators for encryption methods available
- Fallback UI for manual unlock when needed
Migration and Compatibility
Existing Surveys:
- Continue to work with password/recovery phrase
- OIDC encryption can be added retroactively
- No disruption to existing workflows
Mixed Authentication:
- Users can have both OIDC and password authentication
- All unlock methods work independently
- Users can switch between authentication types
Backward Compatibility:
- Traditional encryption fully preserved
- API endpoints unchanged
- Existing integrations unaffected
Security Considerations
Production Requirements
- HTTPS Required: SSO only works with HTTPS in production
- Secure Cookies: Ensure
SECURE_SSL_REDIRECT=True - CSRF Protection: CheckTick automatically handles CSRF for SSO flows
Redirect URI Security
- Always use exact redirect URIs (avoid wildcards)
- Use different OAuth apps for development vs production
- Regularly rotate client secrets
User Account Linking
- Users are automatically linked via email address
- Same user can authenticate via multiple methods
- Encryption keys preserved across authentication methods
Troubleshooting
Common Issues
- "Redirect URI mismatch":
- Verify exact callback URLs in cloud consoles
-
Check for trailing slashes and HTTP vs HTTPS
-
"Invalid client":
- Verify client ID and secret in environment variables
-
Check for extra spaces or quotes
-
"unauthorized_client: The client does not exist or is not enabled for consumers":
- The app registration's supported account types do not include personal Microsoft accounts, but the user is signing in with a personal account (
outlook.com,hotmail.com, etc.). -
Fix: create a new app registration with Accounts in any organizational directory and personal Microsoft accounts (see Step 1). This audience cannot be enabled on an existing org-only registration via the Manifest editor.
-
"invalid specified value for property signInAudience" or "Property api.requestedAccessTokenVersion is invalid" when saving the manifest:
-
Azure does not allow changing
signInAudienceon an existing registration. Create a new registration with the desired audience selected at creation time instead. -
"Access denied":
- Verify API permissions in Azure AD
-
Check OAuth consent screen configuration in Google
-
"Email not found":
- Ensure
emailscope is requested - For Azure: verify
User.Readpermission
Log Analysis
Enable debug logging to troubleshoot:
# In .env
DEBUG=True
# Check logs
docker compose logs web --follow
Look for:
CustomOIDCAuthenticationBackend.authenticate calledGot userinfo:with user dataExtracted email from UPN:for Azure external users
Development Testing
For local development:
# Use HTTP callback URLs
OIDC_CALLBACK_URL=http://localhost:8000/oidc/callback/
# Test with ngrok for HTTPS
ngrok http 8000
# Update cloud console redirect URIs with ngrok HTTPS URL
Support
For additional help:
- Check CheckTick logs:
docker compose logs web - Review Azure AD sign-in logs in Azure Portal
- Check Google Cloud audit logs
- Contact your CheckTick administrator
Example Production Configuration
# Production .env example
DEBUG=False
ALLOWED_HOSTS=checktick.hospital.org
SECURE_SSL_REDIRECT=True
CSRF_TRUSTED_ORIGINS=https://checktick.hospital.org
# Azure AD for hospital staff
OIDC_RP_CLIENT_ID_AZURE=a1b2c3d4-e5f6-7890-abcd-ef1234567890
OIDC_RP_CLIENT_SECRET_AZURE=your-secret-from-azure
OIDC_OP_TENANT_ID_AZURE=hospital-tenant-id
# Google OAuth for external clinicians
OIDC_RP_CLIENT_ID_GOOGLE=123456789-abcdef.apps.googleusercontent.com
OIDC_RP_CLIENT_SECRET_GOOGLE=your-secret-from-google
# Protocol configuration (unchanged)
OIDC_RP_SIGN_ALGO=RS256
OIDC_OP_JWKS_ENDPOINT_GOOGLE=https://www.googleapis.com/oauth2/v3/certs
OIDC_OP_JWKS_ENDPOINT_AZURE=https://login.microsoftonline.com/common/discovery/v2.0/keys