# Microsoft Entra ID Authentication ## Creating new enterprise application {% hint style="info" %} **If you want to separate ultimo production and ultimo test, then we recommend to create two enterprise applications.** {% endhint %} Go to your Microsoft Entra ID and search for enterprise applications ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg62M7aBk2KXrD3I%2Fimage001.png?alt=media\&token=4e9578f4-e6c0-4870-8306-0046d178e2a3) Click on new application ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg64Bc_4wdxRbG_1%2Fimage002.png?alt=media\&token=60b6ee94-7be3-4252-963f-47794f87ab44) Click on create your own application ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg65PB6yHmpoJMyM%2Fimage003.png?alt=media\&token=fca22ee4-1ba3-423f-877e-8c0665ae70af) Create the application with the name Ultimo and the setting integrate any other application you don't find in the gallery (Non-gallery) and click on the bottom side on create. ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg66ddovt1Ka-a_W%2Fimage004.png?alt=media\&token=4ca1a4d7-8079-44e6-bce5-468cbce72cda) ## Setup single sign on (SAML2) Click on set-up single sign on ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg675_vgSYjE3iYM%2Fimage005.png?alt=media\&token=b6235c8b-f8b0-4a5f-8b92-a24f6a6045db) Click on SAML ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg68w2-EFBTCekr5%2Fimage006.png?alt=media\&token=9ab63176-6d19-48fc-8f1f-9b8eff7e4bc2) Click on Upload metadata file. ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg69-saXtjwCRSZE%2Fimage007.png?alt=media\&token=8e3b1342-ddf4-4304-b134-a5ec94f46011) Get the xml file by pasting /Saml2 behind the complete URL in an internet browser, taking the S-capitalization in mind:\ `https://.ultimo.net/Saml2` ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6AWJ-EWOenWyNw%2Fimage008.png?alt=media\&token=0a8a68a5-e930-467d-bdc3-ad3f45c1f6ec) Check if the input is correct and click on save. \ Identifier production: `https://.ultimo.net/Saml2`\ Reply URL production: `https://.ultimo.net/Saml2/Acs`\ Identifier test: `https://-test.ultimo.net/Saml2`\ Reply URL test: `https://-test.ultimo.net/Saml2/Acs` Check image below for details: ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6Bu7RK1RY9_Hgd%2Fimage009.png?alt=media\&token=4b86fb50-6202-4053-955a-93efac6a7e57) ## User assignment Click on Users and groups ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6C427Zwskk3UFv%2Fimage010.png?alt=media\&token=7d4c0c74-3405-4b92-8135-f74caccc1a75) Click on add user/group ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6Deabn9TDK9fPh%2Fimage011.png?alt=media\&token=651e8228-c7b6-4eca-ac75-d04779e101fc) \- Click on none selected and invite users in case u want to invite users to the application, otherwise click on select a role and add the security group within Microsoft Entra ID to grant access. {% hint style="info" %} **If you don’t want to provide a domain account to Ultimo, please invite the consultant so he can use his Ultimo e-mail to test the SSO during implementation.** {% endhint %} ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6ESOgvAHL-9vSn%2Fimage012.png?alt=media\&token=045a542c-689d-4b06-b172-6edfa07bd401) If you invite users, then they have to accept the mail to gain access. ![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6Fj06LW-tWdsTt%2Fimage013.png?alt=media\&token=03a69010-0b33-402f-8a9c-183101544ecd) Send the following information to Ultimo so they can start the implementation: App Federation Metadata Url\ Federation Metadata XML (Download XML and add as attachment)\ Domain account e-mail or **invitation to Ultimo app in previous step.**\ Domain account password or **invitation to Ultimo app in previous step.**
![](https://4033746893-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MZmRVbbu75Ds8MiWx_F%2F-MamkxyiDBVlncSCyGjl%2F-Mamlg6GjlbwRYeXp917%2Fimage014.png?alt=media\&token=b01ffe25-45d8-4e85-bc82-4be06d1e5fb2) ## OpenID Connect (OIDC) Select **Microsoft Entra ID** and then select **Manage** > **App Registrations** in the left side menu.

Click on New Registration and use the following values: a. Enter a **Name** for the application b. For **Supported account types** choose **Accounts in this organizational directory only** c. For **Redirect URI** choose **Web** and enter the URL of the environment, followed by '*signin-oidc'*. For example `https://customer.ultimo.net/signin-oidc` d. Press register

Go to **Authentication** on the left side menu, and check boolean '*ID tokens (used for implicit and hybrid flows)*'. Press save. {% hint style="info" %} **Based upon the customers’ preferences, it is also possible to use other methods of authenticating, including using ‘secrets’.** {% endhint %}

Go back to **Overview** from the left side menu, and copy the value of '*Directory (tenant) ID*'.

Click **Endpoints** on the top of the overview page and copy the value of '*OpenID Connect metadata document*'.