Azure Authentication

Creating new enterprise application

If you want to separate ultimo production and ultimo test, then we recommend to create two enterprise applications.

Go to your Azure Active Directory and search for enterprise applications

Click on new application

Click on create your own application

Create the application with the name Ultimo and the setting integrate any other application you don't find in the gallery (Non-gallery) and click on the bottom side on create.

Setup single sign on (SAML2)

Click on set-up single sign on

Click on SAML

Click on Upload metadata file.

Select the xml file that was provided in the mail

Check if the input is correct and click on save.

Identifier production: https://<customerurl>.ultimo.net/Saml2 Reply URL production: https://<customerurl>.ultimo.net/Saml2/Acs Identifier test: https://<customerurl>-test.ultimo.net/Saml2 Reply URL test: https://<customerurl>-test.ultimo.net/Saml2/Acs

Check image below for details:

User assignment

Click on Users and groups

Click on add user/group

- Click on none selected and invite users in case u want to invite users to the application, otherwise click on select a role and add the security group within Azure AD to grant access.

If you don’t want to provide a domain account to Ultimo, please invite the consultant so he can use his Ultimo e-mail to test the SSO during implementation.

If you invite users, then they have to accept the mail to gain access.

Send the following information to Ultimo so they can start the implementation:

App Federation Metadata Url Federation Metadata XML (Download XML and add as attachment) Domain account e-mail or invitation to Ultimo app in previous step. Domain account password or invitation to Ultimo app in previous step.

OpenID Connect (OIDC)

Select Azure Active Directory and then select App Registrations on the left side menu.

Click on New Registration and use the following values:

a. Enter a Name for the application

b. For Supported account types choose Accounts in this organizational directory only

c. For Redirect URI choose Web and enter the URL of the environment, followed by 'signin-oidc'. For example https://customer.ultimo.net/signin-oidc

d. Press register

Go to Authentication on the left side menu, and check boolean 'ID tokens (used for implicit and hybrid flows)'. Press save.

Based upon the customers’ preferences, it is also possible to use other methods of authenticating, including using ‘secrets’.

Go back to Overview from the left side menu, and copy the value of 'Directory (tenant) ID'.

Click Endpoints on the top of the overview page and copy the value of 'OpenID Connect metadata document'.

PreviousLDAPNextAzure IP addresses

Last updated