Microsoft Entra ID

To configure Microsoft Entra ID as an SSO identity provider, click the button Configure New SSO in the Single-Sign On section of the organization admin settings. Then proceed with the steps below.

Step 1. Settings

In the first step, select Microsoft Entra as the identity provider. Then select the e-mail domains for which you want to setup SSO with Microsoft Entra. Finally, choose how new users should be handled. Then select Next.

Step 2. Configure Entra ID

Copy the Identifier and the Reply URL. Then open a new browser tab or window and navigate to Microsoft Entra ID in the Microsoft Azure Portal. Select Enterprise applications from the left-hand menu.

Select Create your own application.

Enter Cluvio as the name of your app. From the options choose Integrate any other application you don't find in the gallery (Non-gallery).

Click Create at the bottom of the dialog and wait for the app creation to complete. Once created, the application detail page is shown. In the Getting Started section, select 2. Set up single sign on.

Select SAML as the SSO method.

You are now on the Microsoft Entra ID SSO setup page where a series of steps is shown. In the section of step 1 (Basic SAML Configuration), click Edit.

In the dialog that opens enter the Identifier and Reply URL shown in step 2 of the Cluvio SSO setup wizard. Then click Save.

In the section of step 2 (Attributes & Claims) click Edit.

Select Add new claim to create additional claims for firstname and lastname as shown below. The other additional claims can either be left in place or deleted, as Cluvio does not use them.

In the section of step 3 (SAML Certificates) copy the App Federation Metadata URL.

Now return to the Cluvio SSO setup wizard to proceed with step 3.

Step 3. Configure Cluvio

Enter the App Fedaration Metadata URL copied from the Microsoft Azure Portal at the end of the previous step. The URL will be processed automatically. When the metadata has been successfully loaded into Cluvio, the message Metadata successfully loaded! appears below the URL. Click Next to proceed to step 4.

Step 4. User Access

You must now enable user access on your new enterprise app in Microsoft Entra ID. Follow the instructions shown to open the Users and groups section of your enterprise app in the Microsoft Azure Portal.

Select + Add user/group to configure user access as desired. You must at least allow access for your own Microsoft Entra ID account in order to verify and thus enable the Cluvio SSO configuration in the next step.

When you have completed user access configuration for your Cluvio enterprise app, return to the Cluvio SSO setup wizard to continue with step 5.

Step 5. Verification

Your Cluvio SSO configuration is now complete, but in order for the configuration to be activated and SSO logins to be enabled, it must be verified. Click Verify Configuration. Cluvio will open a popup window that performs SSO authentication with your identity provider and your Cluvio email address. If you are currently authenticated with the identity provider the popup closes automatically and you see a success message.

At this point, all future Cluvio logins for users with e-mail addresses in the configured domains will redirect to Microsoft Entra for authentication and Microsoft Entra will redirect back to Cluvio when authentication is successful. Click Close to close the SSO setup wizard.

Reconfiguration

To reconfigure Microsoft Entra ID SSO, select Reconfigure in the SSO config drop-down menu in the organization admin section. The following dialog is shown.

In the Cluvio tab of the reconfiguration dialog you can see the Metadata URL that Cluvio is using to periodically check for new certificates. To inspect the metadata used by Cluvio, including the currently used certificates, select Show Metadata.

Select Reload Metadata to reload the Microsoft Entra ID SAML metadata from the metadata URL. If Cluvio detects any changes, it will be indicated in the dialog. There are two use-cases for reloading metadata: Updating certificates or changing the Cluvio SSO configuration to link with a completely new Microsoft Entra ID enterprise app. While the former needs to be done when the existing certificates expire, the latter is only necessary if you intentionally want to delete and reconfigure your Microsoft Entra ID enterprise app used for Cluvio.

In the Microsoft Entra ID tab of the reconfiguration dialog you can see the Cluvio metadata that must be used in the configuration of the Microsoft Entra ID enterprise app.

Updating Certificates

To replace an expiring certificate used by your SSO configuration, open the Microsoft Entra ID app configuration in the Microsoft Azure Portal and navigate to the Single sign-on section. Under section 3 (SAML Certificates) click Edit.

Select New Certificate to add a new certificate, then click Save.

The new certificate is initially inactive. Cluvio will pick up the new certificate automatically within 24 hours, at which point the new certificate can be activated and the old certificate removed. If you want to activate the new certificate immediately, first reconfigure the Cluvio SSO configuration by selecting Reload Metadata. The new certificate should be picked up and you should see an indication that the metadata changed. Click Save & Verify to save the changes.

Verification opens a popup that authenticates with Microsoft Entra ID using your Cluvio email address. If verification fails, the previous metadata is automatically restored.

When the changes have been saved successfully, you can activate the new certificate in Microsoft Entra ID and delete the old certificate.

Certificate Update Notifications

Cluvio periodically polls the Microsoft Entra ID metadata URL to check for new certificates and periodically checks for upcoming expiration of currently used certificates. If a new or expiring certificate is detected, an email notification is sent to the admins in your Cluvio organization.