# Configure SSO with Entra ID

This guide outlines how to integrate the Adaptiva Server with Microsoft Entra ID. It provides configuration steps for both OpenID Connect (OIDC) and SAML (Security Assertion Markup Language), enabling secure single sign-on (SSO). With this integration your users can sign into the OneSite Platform using their Entra credentials adding a layer of security.

## Create an App Registration in Microsoft Entra

Create an App Registration for the Adaptiva Server to use for federation with Entra ID.

1. Log in to the Microsoft Entra admin center as a *Global Admin* or a delegate with *App Registration permissions*.
2. In the Search bar, enter **App Registrations**, and then select **App registrations** from results.
3. Select **New Registration**.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-11b86bf6aa1eab9cc42937cce79aaf93acf6fea5%2Fnew-registration.png?alt=media)
4. Enter a **Name** for the application.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-4cd9844b1c7f2efc26fdb37bead74c5f1e24250c%2Fregister-app.png?alt=media)
5. Select the appropriate setting in the **Supported account types** section. Typically, you would select **Accounts in this organizational directory only**.
6. From the **Select a platform** drop-down, select either **Web** (build 9.3 or later) or **Single-page application (SPA)** (build 9.1 or 9.2).
7. Enter the URL as shown in the following example:

   `https://<AdaptivaServerFQDN>[:PORT]/login/oidc-redirect`.

   The `AdaptivaServerFQDN[:PORT]` is the name and port used to log in to the Adaptiva Server. For example, `https://cm.onelab.com:9678/login/oidc-redirect`.
8. Click **Register**.
9. *If your Adaptiva Server is using build 9.1 or 9.2*, add another URI:

   a. Select the **Redirect URIs** link from the Overview page.

   b. Click **Add URI**.

   c. Enter your URL into the respective field using the following format: `https://<AdaptivaServerFQDN>[:PORT]/login/oidc-redirect/registration`

   d. Select **Save**.
10. If the server is accessed using any other names besides the FQDN, create the necessary URIs for each name that you use.
11. Click **Register**.

### Create a Client Secret (build 9.3 or later)

*If your Adaptiva Server is using build 9.3 or later*, create a client secret for authentication to Entra ID.

1. Select **Certificates & Secrets** on the far-left action pane.
2. Select **+ New client secret**, under **Client secrets** on the **Clients & secrets** page:

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-64621c8d66db61c1be4d14ab22b0772d6d139a1d%2Fnew-secret.png?alt=media)
3. Enter a description in the **Description** field on the **Add a client secret** dialog, and then select the appropriate expiration timeframe based on the security guidelines of your company.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-b0f381fd0e941063e3db872c562fcc30650d0091%2Fadd-secret.png?alt=media)
4. Select **Add** to return to the **Clients & secrets** page.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-bcb002242c01371ac530e1fb5677e4a8dfea4907%2Fsecret.png?alt=media)
5. Record the *value* of the secret to use in the Adaptiva Server. This secret value never displays again after you leave this page.

{% hint style="info" %}
Create a reminder on your calendar to create a new App secret before the secret expires.
{% endhint %}

6. Select **Overview** in the left-side pane.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-23f3833c793dd5d5d393fec70b3706c72b903276%2Fapp-registration.png?alt=media)
7. Record the **Application (client) ID** and the **Directory (tenant) ID**.

## Create an OIDC Provider

Follow the steps on the [Configure OIDC](https://docs.adaptiva.com/platform-guide/security/configure-oidc) page, the one-to-one translation of information that is specific to DUO is below:

* **Authority** - This is the **Tenant URL** from Entra that you can copy and paste in the Authority field in the following format:

  `https://login.microsoftonline.com/<tenantID>/v2.0`

  The `<tenantID>` is the **Directory (tenant) ID** you recorded earlier.
* **Client ID** - This is the **Application (client) ID** from the Azure Global Admin.

*If using 9.3 or later:*

* **Client Secret** - This is the **Client secret (value)** from Entra.

### Updating your OIDC Configuration After Upgrading to Build 9.3

If you have upgraded to build 9.3 or later and have already configured OIDC, the following steps must be completed by the Azure Global Admin or a delegate to update your configuration.

#### Update the App Registration

1. Log in to the Microsoft Entra admin center as a *Global Admin* or a delegate with *App Registration permissions*.
2. Select **App registrations**.
3. Locate and select the App Registration created for the Adaptiva Server.
4. Select **Authentication**.
5. Click the trash can icon ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-3212437ee6a7a2557bc177ccdf976f6ec6984862%2Ftrash.png?alt=media) on the upper-right of the **Single-page application** section to delete all Redirect URIs.

   ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-3299185fcc5e96e1b747e16fed9574b2544f4cf4%2Fspa-settings.png?alt=media)
6. Select **Delete** to confirm the deletion.

#### Create a Platform Configuration

1. Select **+ Add a platform**.
2. Select **Web**.
3. Enter the following URI in the **Redirect URI** field:

   `https://<AdaptivaServerFQDN>[:PORT]/login/oidc-redirect`
4. Select **Configure**.

#### Create a Client Secret

Follow the earlier steps to [create a client secret](#create-a-client-secret-build-93-or-later).

#### Update the OIDC Configuration

The following steps must be completed by the Adaptiva Administrator.

1. Log in to the Adaptiva Server as a Super Admin user.
2. Navigate to ![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-ad421a41af018d28cb8c4bdaf25912f0e6b6bef6%2Fgear.png?alt=media) **> Security > OIDC Providers**.
3. Select the OIDC Provider that you created.
4. Select the **Client Authentication Type** in the **OIDC Settings** section, and then select **Client Secret (Post)**.
5. Enter the Secret you received from the Azure Global Admin into the **Client Secret** field. The **Show Secret** button appears after you enter the Secret into the **Client Secret** field.
6. Select **Save**.

## Enable Single Sign-on using SAML

### Create an Enterprise application in Azure

Create an Enterprise application for the Adaptiva Server to use for federation with Entra ID.

1. Log in to the Microsoft Entra admin center as a *Global Admin* or a delegate with *App Registration permissions*.
2. In the Search bar, enter **Enterprise applications** and then select **Enterprise applications**.
3. Click **New application** and then click **Create your own application**.
4. Enter a name and select the **Integrate any other application you don't find in the gallery (Non-gallery)** radio button.
5. Click **Create**. The application Overview page will appear.

### Assign Users

1. Click **Assign users and groups**.
2. Click **+ Add user/group**.
3. Under **Users and groups**, click the link and check the users or groups you want to grant access to the application.
4. Click **Assign**.
5. In the left-hand navigation, click **Single sign-on**.

#### Configure SAML single sign-on

1. On the application's overview page, in the left-hand navigation, select **Single sign-on**.
2. Click **SAML** as the single sign-on method.
3. On the Set up Single Sign-On with SAML page, under **1. Basic SAML Configuration**, click **Edit**.
4. Click **Add identifier**.
5. Enter the Identifier (Entity ID): `https://<AdaptivaServerFQDN>[:PORT]`.
6. Click **Add reply URL**.
7. Enter the Reply URL from your service provider's configuration: `https://<AdaptivaServerFQDN>[:PORT]/api/v1.0/authentication/saml-login`.
8. Click **Save**.
9. Under **3. SAML Certificates**, click the links to download the **Certificate** and **Federation Metadata XML** files.
10. Under **Step 4. Set up** , record the following links:
    1. Login URL: `https://login.microsoftonline.com/[GUID]/saml2`
    2. Microsoft Entra Identifier: `https://sts.windows.net/[GUID]/`
    3. Logout URL: `https://login.microsoftonline.com/[GUID]/saml2`

### Create the SAML Provider in the Admin Portal

Follow the steps on the [Configure SAML](https://docs.adaptiva.com/platform-guide/security/configure-saml) and enter the following information from Entra into the **SAML Settings** section below:

* **Issuer ID**: enter the **Microsoft Entra Identifier**
* **Authentication Request URI**: enter the **Login URL**
* **Attribute Consuming Service Index**: leave blank
* **Name ID Format**: Leave default
* **Public Key Info**: Open the certificate file (.cer) and copy and paste the contents into the window.
* **Audience**: Enter the same as the **Identifier Entity ID**. If you did not specify a port, include :443 to the server address.

## Log in page

After Microsoft Entra and the OneSite Platform have been federated using OIDC or SAML, an SSO button will appear on the login page. Once clicked, users will be redirected to a Entra login page and granted access to OneSite Platform.

![](https://4278434842-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F6zWDkRrsxRGskacChCcP%2Fuploads%2Fgit-blob-ae6a160553d77f6b8a0360d74ff5921e46c168b2%2Flogin-page.png?alt=media)