At the time this article was created, Microsoft Azure AD (now known as Entra ID) was the only identity provider (IdP) that we had tested, so all references in this article will relate to Azure. We have since tested our integration with Cisco Duo Security.
โ
โhttps://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-id
Please let us know if you would like to share feedback or suggestions!
Prerequisites
If the client has child locations, there will need to be something configured on the Azure AD side to denote a user is associated with a particular myNuspire client. This is necessary in order to properly map them to the right client inside myNuspire. Without this, users will be put into the client that configured the SSO (the top-most parent most likely). You can obtain an export of the client's organization tree by viewing their organization page and clicking the "Export Client Tree" button under the "Managed Clients" tab. Take note of the field that is used for this in Azure as you will need to add it to the SAML attributes later.
Setting Up The Identity Provider (IdP)
Log in to your Azure Portal
In the top search bar, search for "Enterprise Applications" and click on Services -> Enterprise Applications
At the top of the table, click on "New Application"
At the top of the page, click on "Create your own application". You will see a side menu appear on the right of the page.
Input the name of the application (ex: myNuspire SSO) and select "Integrate any other application you don't find in the gallery (non-gallery)". Then click "Create"
Under "Supported account types", if the client is a single location without any children, leave the default "Accounts in this organizational directory only" option selected.
If the client has child locations associated with them in myNuspire, select "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)"
Leave "Redirect URI" empty for now. We'll fill that out later.
Click "Register"
Go back to the app list view from step 3 and find the newly created app and click on its name. You can search for it above the table if it doesn't show up.
In the left-hand nav, select "Single sign-on" and select the "SAML" option
Under "Basic SAML Configuration", select "Edit".
An entity ID and ACS URL are required, so for now just put in some placeholder info (can use https://app.mynuspire.io for now)
For each of these, select the "Add" option in order to add each item
Click "Save"
Under "SAML Certificates", click the "Download" option next to "Certificate (Base64)". You will need this on the myNuspire side.
Under "Set up myNuspire SSO", take note of the "Login URL" and "Microsoft Entra ID Identifier" fields as you will need them in the myNuspire configuration steps
Under "Attributes and Claims", click "Edit"
(Optional) If the client has child locations associated with them in myNuspire, you will need to add a new claim for this field (see the prerequisites section above)
Click "Add new claim" at the top of the page
Under "Name", enter
myNuspireClientIdYou can leave "Namespace" empty
Under the "Source" section, this is where you will need to select the attribute on the user that corresponds with the value entered in the prerequisites section in order to properly map them to a myNuspire client
Click "Save"
Take note of the "Claim Name" values in this list as you will need them on the myNuspire side
Setting up the myNuspire SSO Configuration
In myNuspire, navigate to the client's organization page and click the "SSO" tab
In the "IdP Issuer URI" field, enter the "Microsoft Entra ID Identifier" value from the Azure AD steps (step 14)
In the "IdP Single Sign-On URL" field, enter the "Login URL" value from the Azure AD steps (step 14)
(Optional) If you want to optionally filter login emails with a regex, check the "Filter emails with a regex" checkbox and fill out the regex in the input below it
(Optional) If this client needs to pass down their SSO config to their child clients, select "I want my children to inherit this SSO configuration" checkbox
Under "IdP Signature Certificate", click the "Upload Certificate" button and upload the certificate you downloaded in the Azure AD steps (step 13)
Under "Attributes", there are some required fields that myNuspire needs to map to our users:
email,firstName,lastName, and optionallymyNuspireClientId(if "I want my children to inherit this SSO configuration" is checked)Below is a table of what would most likely be the common configuration for Azure AD fields (change any value to match what is configured in the Azure environment):
Azure sends more attributes than what is documented in the Azure steps (step 17) for some reason. If the extra attributes aren't set here, the SSO authentication will fail!
They aren't necessary for anything on our side, but they need to be in place for authentication to succeed. It's just how SAML works.
Omit the
myNuspireClientIdattribute if you did not configure it in Azure
Name | IdP Attribute Field Name | Title |
firstName | First Name | |
lastName | Last Name | |
myNuspireClientId | myNuspireClientId | myNuspire Client ID |
tenantid | Tenant ID | |
objectidentifier | Object Identifier | |
displayname | Display Name | |
identityprovider | Identity Provider | |
authnmethodsreferences | Authn Methods References | |
name | Name |
Click "Create"
You will then see a details screen of the IdP you just configured. Take note of the "Assertion Customer Service (ACS) URL", "Audience URI", and "Relay State" values as you will need to put those into Azure.
Add More Values Into Azure
Back on the application SSO page from the Azure steps (step 9), click "Edit" under "Basic SAML Configuration"
Replace the placeholder values you entered earlier with the ones we just saw in the myNuspire steps (step 10)
Identifier (Entity ID) corresponds with "Audience URI" field in myNuspire
Reply URL (Assertion Customer Service URL) corresponds with the ACS URL field in myNuspire
For the "Relay State (Optional)" field, enter the value of the Relay State from the myNuspire page
This is necessary to properly redirect them into myNuspire once the authentication is complete
You can now test the SAML SSO by clicking the "Test this application" button on the Azure page and then on the "Test sign in" button on the right menu that pops up
Things to Note
Existing myNuspire users will still log in with email/password until they successfully perform an SSO from their IdP. Only after that are they considered a SAML user on our end.
Users that successfully SSO into myNuspire that don't have an existing user will be just-in-time (JIT) created on our end and default to the "Users" user group.
The client the user is configured for (if
myNuspireClientIdis set in the SAML attributes) needs to exist before they authenticate.Any changes that are made to the SSO config in myNuspire will result in the Audience URI changing. This will have to be copied and updated in the application on the IdP side.
Troubleshooting Issues
In the event that you or the client are unable to successfully SSO into the application, you can use the SAML Tracer browser plugin to inspect the SAML requests that are being made. Typically when an issue occurs, it's related to the attributes not matching what is configured in myNuspire or the Audience URI value in Azure not matching what's in myNuspire (if an update needed to happen in myNuspire. That will change this value).
SAML Tracer Plugin Links
Google Chrome plugin: https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch
Firefox plugin: https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/