# Microsoft Entra ID Authentication ## Creating new enterprise application {% hint style="info" %} **If you want to separate ultimo production and ultimo test, then we recommend to create two enterprise applications.** {% endhint %} Go to your Microsoft Entra ID and search for enterprise applications ![](/files/-Mamlg62M7aBk2KXrD3I) Click on new application ![](/files/-Mamlg64Bc_4wdxRbG_1) Click on create your own application ![](/files/-Mamlg65PB6yHmpoJMyM) Create the application with the name Ultimo and the setting integrate any other application you don't find in the gallery (Non-gallery) and click on the bottom side on create. ![](/files/-Mamlg66ddovt1Ka-a_W) ## Setup single sign on (SAML2) Click on set-up single sign on ![](/files/-Mamlg675_vgSYjE3iYM) Click on SAML ![](/files/-Mamlg68w2-EFBTCekr5) Click on Upload metadata file. ![](/files/-Mamlg69-saXtjwCRSZE) Get the xml file by pasting /Saml2 behind the complete URL in an internet browser, taking the S-capitalization in mind:\ `https://.ultimo.net/Saml2` ![](/files/-Mamlg6AWJ-EWOenWyNw) Check if the input is correct and click on save. \ Identifier production: `https://.ultimo.net/Saml2`\ Reply URL production: `https://.ultimo.net/Saml2/Acs`\ Identifier test: `https://-test.ultimo.net/Saml2`\ Reply URL test: `https://-test.ultimo.net/Saml2/Acs` Check image below for details: ![](/files/-Mamlg6Bu7RK1RY9_Hgd) ## User assignment Click on Users and groups ![](/files/-Mamlg6C427Zwskk3UFv) Click on add user/group ![](/files/-Mamlg6Deabn9TDK9fPh) \- Click on none selected and invite users in case u want to invite users to the application, otherwise click on select a role and add the security group within Microsoft Entra ID to grant access. {% hint style="info" %} **If you don’t want to provide a domain account to Ultimo, please invite the consultant so he can use his Ultimo e-mail to test the SSO during implementation.** {% endhint %} ![](/files/-Mamlg6ESOgvAHL-9vSn) If you invite users, then they have to accept the mail to gain access. ![](/files/-Mamlg6Fj06LW-tWdsTt) Send the following information to Ultimo so they can start the implementation: App Federation Metadata Url\ Federation Metadata XML (Download XML and add as attachment)\ Domain account e-mail or **invitation to Ultimo app in previous step.**\ Domain account password or **invitation to Ultimo app in previous step.**
![](/files/-Mamlg6GjlbwRYeXp917) ## OpenID Connect (OIDC) Select **Microsoft Entra ID** and then select **Manage** > **App Registrations** in the left side menu.

Click on New Registration and use the following values: a. Enter a **Name** for the application b. For **Supported account types** choose **Accounts in this organizational directory only** c. For **Redirect URI** choose **Web** and enter the URL of the environment, followed by '*signin-oidc'*. For example `https://customer.ultimo.net/signin-oidc` d. Press register

Go to **Authentication** on the left side menu, and check boolean '*ID tokens (used for implicit and hybrid flows)*'. Press save. {% hint style="info" %} **Based upon the customers’ preferences, it is also possible to use other methods of authenticating, including using ‘secrets’.** {% endhint %}

Go back to **Overview** from the left side menu, and copy the value of '*Directory (tenant) ID*'.

Click **Endpoints** on the top of the overview page and copy the value of '*OpenID Connect metadata document*'.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developer.ultimo.net/azure-documentation/azure-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.