Legend:
Text in double quotes (ex: "Some Text") describes text taken verbatim from a web page
Text in code blocks (ex:
someText) describes text to input into a form field
When this article was created, Microsoft Azure AD (now known as Entra ID) was the only identity provider (IdP) we had tested, so all references in this article will relate to Azure. We have since tested our integration with Cisco Duo Security.
β
βhttps://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id
Please let us know if you would like to share feedback or suggestions!
Prerequisites
If the client has child locations, something will need to be configured on the Azure AD side to denote a user is associated with a particular myNuspire client. This is necessary to map them to the right client inside myNuspire properly. Without this, users will be put into the client that configured the SSO (the top-most parent most likely). You can obtain an export of the client's organization tree by viewing their organization page and clicking the "Export Client Tree" button under the "Managed Clients" tab. Take note of the field that is used for this in Azure as you will need to add it to the SAML attributes later.
Setting Up The Identity Provider (IdP)
Log in to your Azure Portal
In the top search bar, search for "Enterprise Applications" and click on Services -> Enterprise Applications
β
At the top of the table, click on "New Application"
At the top of the page, click on "Create your own application". You will see a side menu appear on the right of the page.
Input the name of the application (ex: myNuspire SSO) and select "Integrate any other application you don't find in the gallery (non-gallery)". Then click the "Create" button at the bottom of the side menu.
Under the "Getting Started" section, click "2. Set up single sign on". For the sign on method, choose SAML.
Under "Basic SAML Configuration", select "Edit".
An entity ID and ACS URL are required, so for now just put in some placeholder info (you can use
https://app.mynuspire.iofor now)For each of these, select the "Add" option to add each item
Click "Save"
Under "SAML Certificates", click the "Download" option next to "Certificate (Base64)". You will need this on the myNuspire side.
Under "Set up myNuspire SSO", take note of the "Login URL" and "Microsoft Entra ID Identifier" fields as you will need them in the myNuspire configuration steps
Under "Attributes and Claims", click "Edit"
(Optional) If the client has child locations associated with them in myNuspire, you will need to add a new claim for this field (see the prerequisites section above)
Click "Add new claim" at the top of the page
Under "Name", enter
myNuspireClientIdYou can leave "Namespace" empty
Under the "Source" section, this is where you will need to select the attribute on the user that corresponds with the value entered in the prerequisites section to properly map them to a myNuspire client
Click "Save"
Take note of the "Claim Name" values in this list as you will need them on the myNuspire side
Setting up the myNuspire SSO Configuration
This section is easily overlooked, so please make sure to read the directions carefully and enter the fields as you see them below. If you encounter any issues with the sign on process, there are links to the SAML Tracer browser plugin at the bottom of this document to help your debugging process.
In myNuspire, navigate to the client's organization page and click the "SSO" tab
In the "IdP Issuer URI" field, enter the "Microsoft Entra ID Identifier" value from the Azure AD steps (step 14)
In the "IdP Single Sign-On URL" field, enter the "Login URL" value from the Azure AD steps (step 14)
(Optional) If you want to optionally filter login emails with a regex, check the "Filter emails with a regex" checkbox and fill out the regex in the input below it
(Optional) If this client needs to pass down their SSO config to their child clients, select the "I want my children to inherit this SSO configuration" checkbox
Under "IdP Signature Certificate", click the "Upload Certificate" button and upload the certificate you downloaded in the Azure AD steps (step 13)
Under "Attributes", there are some required fields that myNuspire needs to map to our users:
email,firstName,lastName, and optionallymyNuspireClientId(if "I want my children to inherit this SSO configuration" is checked)Below is a table of what would most likely be the common configuration for Azure AD fields (change any value to match what is configured in the Azure environment):
Azure sends more attributes than what is documented in the Azure steps (step 17). If the extra attributes aren't set here, the SSO authentication will fail!
They aren't necessary for anything on our side, but they need to be in place for authentication to succeed. It's just how SAML works.
Omit the
myNuspireClientIdattribute if you did not configure it in Azure
Name | IdP Attribute Field Name | Title |
firstName | First Name | |
lastName | Last Name | |
myNuspireClientId | myNuspireClientId | myNuspire Client ID |
tenantid | Tenant ID | |
objectidentifier | Object Identifier | |
displayname | Display Name | |
identityprovider | Identity Provider | |
authnmethodsreferences | Authn Methods References | |
name | Name |
Click "Create"
You will then see a details screen of the IdP you just configured. Take note of the "Assertion Customer Service (ACS) URL", "Audience URI", and "Relay State" values as you will need to put those into Azure.
Add More Values Into Azure
Back on the application SSO page from the Azure steps (step 9), click "Edit" under "Basic SAML Configuration"
Replace the placeholder values you entered earlier with the ones we just saw in the myNuspire steps (step 10)
The Identifier (Entity ID) corresponds with the "Audience URI" field in myNuspire
The Reply URL (Assertion Customer Service URL) corresponds with the ACS URL field in myNuspire
For the "Relay State (Optional)" field, enter the value of the Relay State from the myNuspire page
This is necessary to properly redirect them into myNuspire once the authentication is complete
You can now test the SAML SSO by clicking the "Test this application" button on the Azure page and then on the "Test sign in" button on the right menu that pops up
Things to Note
Existing myNuspire users will still log in with email/password until they successfully perform an SSO from their IdP. Only after that are they considered a SAML user on our end.
Users that successfully SSO into myNuspire that don't have an existing user will be just-in-time (JIT) created on our end and default to the "Users" user group.
The client the user is configured for (if
myNuspireClientIdis set in the SAML attributes) needs to exist before they authenticate.Any changes that are made to the SSO config in myNuspire will result in the Audience URI changing. This will have to be copied and updated in the application on the IdP side.
Troubleshooting Issues
If you or the client are unable to successfully SSO into the application, you can use the SAML Tracer browser plugin to inspect the SAML requests that are being made. Typically when an issue occurs, it's related to the attributes not matching what is configured in myNuspire or the Audience URI value in Azure not matching what's in myNuspire (if an update needed to happen in myNuspire. That will change this value).