Entra SSO for Novulo Applications

j.batzke · August 5, 2024, 3:56pm

Original author: Joost Reede PI49744

The Single sign-on plugin is now capable of handling authentication responses sent by Microsoft Entra, the Azure active directory. This makes MS Entra a possible identity provider for Novulo applications.
Application administrators are able to connect the Novulo application to MS Entra, which allows application users to authenticate using the MS Entra directory.
An application user can choose to authenticate with MS Entra in the same fashion as choosing for a Novulo identity provider. The authentication flow is similar.
Follow the instructions below to connect a Novulo application to MS Entra for authentication.

Registration of the Novulo Application in Entra

Login to Azure portal (as “Cloud application administrator” for the tenant the application will be registered for)
Select “Microsoft Entra ID”
Select “Enterprise applications” in the left side menu
Create a new application
Select “Create your own application”
Enter the name of the application
Select “Integrate any other application you don’t find in the gallery (Non-gallery)” then click Create
Select the newly created application
Select “Single sign-on” in the left side menu
Select SAML as the single sign-on method
Edit the “Basic SAML configuration” section
- Entity ID: The base URL of the application (e.g., https://vds123.novulo.com/someapplication)
- Reply URL: The base URL + sso.aspx (e.g., https://vds123.novulo.com/someapplication/sso.aspx)
- Click ‘save’ and close the side menu
Select ‘No, I’ll test later’ if the question pops up to ‘Test single sign-on with SP’

In the ‘Single sign-on’ overview, copy/download the following data, as you will need it later:

Login URL
Microsoft Entra Identifier
Certificate (Raw)

Notes

MS Entra users should also be granted access to the application in the MS Entra administration, but that is beyond the scope of this document.

If a user is successfully granted access, you can test the access by selecting the ‘Test’ button in the ‘Single sign-on’ overview. The expected result is a Novulo application error message “Response is not a response to a request”, because the Novulo application does not support IdP-initiated authentication requests.

Registration of Entra as the IdP for the Novulo Application

Preparation

First, we need to extract the public key from the certificate file that was stored in the previous step.

Open the document in the Windows certificate viewer. Double-clicking the file should work.
Open tab “Details”
Select property “public key”
Copy the data from the text area
Paste the data into a text editor of choice
Remove all spaces and copy the result.

Integration

As admin, login to the Novulo application
Open the ‘Identity providers’ view
Create a new Identity provider
Enter the following data:
- Type: Other
- Name: MS Entra (or whatever name you want the users to click on)
- SAML Entity ID: Paste the result from the Entra part
- SSO Endpoint URL: Paste the result from the Entra part
- Public key: Paste the result from the preparation part
- Leave the rest of the options as they are.

Notes:

Users should also be created and linked to groups and allowed access to the application, but that is beyond the scope of this document.
The MS Entra Identity provider does not support sending roles to the Novulo application as a Novulo IdP does. So, make sure that for the MS Entra IdP registration, there is exactly one role defined with:
- the ‘Fallback role when IdP does not send one’ option selected, and
- the ‘Change rights profile’ set to ‘No’,
  To ensure that users are assigned a default role when created in the application during an MS Entra authentication and that the user is not reassigned the default role during any following authentications.

Test the Sign-in Procedure

To test the integration, follow this procedure:

Load the default authentication page of the Novulo application. Usually something like ‘https://vds123.novulo.com/someapplication/default.aspx’
Select ‘MS Entra’ or ‘Log in with an external application’ and then ‘MS Entra’ if multiple identity providers are configured
The login procedure for MS Entra will show. Login using credentials for an account that has access to the Novulo application
The Novulo application is loaded successfully.

Topic		Replies	Views
Novulo OAuth2.0 configuration and usage Wiki rest , plugin	0	87	November 27, 2024
Novulo Deployment Wiki implementation , getting-started	0	108	May 1, 2024
Using bearer token for authentication for end points [Q&A] Components, Datasets and Plug-ins rest	6	95	November 27, 2024
Rightsprofiles exercise Onboarding	0	13	December 12, 2024
Sub applications functionality for multi-tenant environments and rights profiles Wiki implementation	0	89	June 2, 2024