Entra SSO for Novulo Applications

Original author: Joost Reede PI49744

The Single sign-on plugin is now capable of handling authentication responses sent by Microsoft Entra, the Azure active directory. This makes MS Entra a possible identity provider for Novulo applications.
Application administrators are able to connect the Novulo application to MS Entra, which allows application users to authenticate using the MS Entra directory.
An application user can choose to authenticate with MS Entra in the same fashion as choosing for a Novulo identity provider. The authentication flow is similar.
Follow the instructions below to connect a Novulo application to MS Entra for authentication.

Registration of the Novulo Application in Entra

1. Login to Azure portal (as “Cloud application administrator” for the tenant the application will be registered for)
2. Select “Microsoft Entra ID”
3. Select “Enterprise applications” in the left side menu
4. Create a new application
5. Select “Create your own application”
6. Enter the name of the application
7. Select “Integrate any other application you don’t find in the gallery (Non-gallery)” then click Create
8. Select the newly created application
9. Select “Single sign-on” in the left side menu
10. Select SAML as the single sign-on method
11. Edit the “Basic SAML configuration” section
    • Entity ID: The base URL of the application (e.g., https://vds123.novulo.com/someapplication)
    • Reply URL: The base URL + sso.aspx (e.g., https://vds123.novulo.com/someapplication/sso.aspx)
    • Click ‘save’ and close the side menu
12. Select ‘No, I’ll test later’ if the question pops up to ‘Test single sign-on with SP’

In the ‘Single sign-on’ overview, copy/download the following data, as you will need it later:

• Login URL
• Microsoft Entra Identifier
• Certificate (Raw)

Notes

• MS Entra users should also be granted access to the application in the MS Entra administration, but that is beyond the scope of this document.
• If a user is successfully granted access, you can test the access by selecting the ‘Test’ button in the ‘Single sign-on’ overview. The expected result is a Novulo application error message “Response is not a response to a request”, because the Novulo application does not support IdP-initiated authentication requests.

Registration of Entra as the IdP for the Novulo Application

Preparation

First, we need to extract the public key from the certificate file that was stored in the previous step.

1. Open the document in the Windows certificate viewer. Double-clicking the file should work.
2. Open tab “Details”
3. Select property “public key”
4. Copy the data from the text area
5. Paste the data into a text editor of choice
6. Remove all spaces and copy the result.

Integration

1. As admin, login to the Novulo application
2. Open the ‘Identity providers’ view
3. Create a new Identity provider
4. Enter the following data:
   • Type: Other
   • Name: MS Entra (or whatever name you want the users to click on)
   • SAML Entity ID: Paste the result from the Entra part
   • SSO Endpoint URL: Paste the result from the Entra part
   • Public key: Paste the result from the preparation part
   • Leave the rest of the options as they are.

Notes:

• Users should also be created and linked to groups and allowed access to the application, but that is beyond the scope of this document.
• The MS Entra Identity provider does not support sending roles to the Novulo application as a Novulo IdP does. So, make sure that for the MS Entra IdP registration, there is exactly one role defined with:
  • the ‘Fallback role when IdP does not send one’ option selected, and
  • the ‘Change rights profile’ set to ‘No’,
    To ensure that users are assigned a default role when created in the application during an MS Entra authentication and that the user is not reassigned the default role during any following authentications.

Test the Sign-in Procedure

To test the integration, follow this procedure:

1. Load the default authentication page of the Novulo application. Usually something like ‘https://vds123.novulo.com/someapplication/default.aspx’
2. Select ‘MS Entra’ or ‘Log in with an external application’ and then ‘MS Entra’ if multiple identity providers are configured
3. The login procedure for MS Entra will show. Login using credentials for an account that has access to the Novulo application
4. The Novulo application is loaded successfully.