> For the complete documentation index, see [llms.txt](https://docs.ovaledge.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ovaledge.com/release8.2/installation-and-settings/authentication-and-sso-setup/microsoft-entra-id-azure-ad.md).

# Microsoft Entra ID (Azure AD)

This article explains how to integrate the **OvalEdge** application with **Microsoft Entra ID** (formerly Azure Active Directory) to enable **SAML-based Single Sign-On (SSO)** and centralized identity management. It covers the complete configuration process, including creating an enterprise application, configuring SAML authentication, optionally securing application secrets in **Azure Key Vault**, registering the application, assigning users and roles, and updating the Tomcat configuration required for the integration.

{% hint style="warning" %}
Microsoft has recently renamed **Azure Active Directory** (also called **Azure AD** or **AAD**) to **Microsoft Entra ID**. This is not to be confused with **Windows Server Active Directory**, which remains unchanged.
{% endhint %}

## Purpose

The purpose of this document is to guide administrators through configuring **Microsoft Entra ID** authentication for the OvalEdge application. By completing the steps in this guide, you can:

* Enable **Single Sign-On (SSO)** using the SAML 2.0 protocol.
* Authenticate users through Microsoft Entra ID instead of managing local application credentials.
* Configure role-based access by mapping Microsoft Entra ID users and groups to OvalEdge roles.
* Secure sensitive application configuration, such as database credentials and encryption keys, using **Azure Key Vault** (optional).
* Register the application to securely access Azure resources, including Key Vault.
* Configure the Tomcat application server to support Microsoft Entra ID authentication, with or without Azure Key Vault integration.
* Provide users with a secure and centralized sign-in experience while simplifying identity and access management across the organization.

## The Setup

Follow the steps below to integrate the OvalEdge application with Microsoft Entra ID and run the OvalEdge application with HTTPS.

**Example:**

```
https://<DNS>:8443/ovaledge
```

* **Create an Enterprise application in Azure:** Used to authenticate Azure users in the OvalEdge application.
* **Create Key Vault Secrets:** Used to store the MySQL database details and the SAML certificate.
* **App Registration:** Used to authenticate the OvalEdge application with Azure Key Vault.
* **Authentication and Authorization:** Explains how to create roles and groups in Active Directory and add members to the groups.
* **Tomcat Configuration:** Used to configure Azure with the OvalEdge application.

### Create an Enterprise Application in Azure

To create an Enterprise application in Azure, complete the following steps:

1. Navigate to **Azure Active Directory** and click **Azure Active Directory**.

   <div align="left"><img src="/files/X3b6VSe0wgL4cv1WJ3SY" alt="" height="331" width="574"></div>
2. Click **Enterprise Applications** to display the **Enterprise Applications** page.

   <div align="left"><img src="/files/1KIX93RJoyszDrW2uWjz" alt="" height="345" width="587"></div>
3. On the **Enterprise Applications** page, click **+ New Application** to display the **Browse Azure AD Gallery** page.

   <div align="left"><img src="/files/3BVG1ZeoOjXN30Y0wJ5f" alt="" height="356" width="639"></div>
4. On the **Browse Azure AD Gallery** page, click **Create your own application**.

   <div align="left"><img src="/files/cGRIhuGpxtqLoxIqKagC" alt="" height="361" width="634"></div>
5. Enter the application name and click **Create**.

   <img src="/files/8J1tFn3AbmAShJtD8dcX" alt="" height="375" width="709">
6. Open the application that was created, click **Single Sign-on**, and select **SAML**.

   <img src="/files/AkIZvBq49ILACnS6fJ9J" alt="" height="359" width="703">

   <div align="left"><img src="/files/DMhf1WA3ntFQPyl3MwCv" alt="" height="326" width="611"></div>
7. Click **Edit** to edit **Basic SAML Configuration**.

   <div align="left"><img src="/files/uuVrBcgKQsBy3rSma8Qo" alt="" height="334" width="624"></div>
8. Enter the following values and click **Save**.

   <div align="left"><img src="/files/i8uX7zVZ01lbEMna2lo2" alt="" height="354" width="689"></div>

   <div align="left"><img src="/files/435XqTSTqlj0JzK6VM0z" alt="" height="362" width="693"></div>

   1. **Identifier:**

      ```
      https://<DNS>/ovaledge/saml/metadata
      ```
   2. **Reply URL (Assertion Consumer Service URL):**

      ```
      https://<DNS>/ovaledge/saml/SSO
      ```
   3. **Logout URL (Optional):**

      ```
      https://<DNS>/ovaledge/saml/SingleLogout
      ```

{% hint style="info" %}
Specify the port if such a configuration is used.
{% endhint %}

10. Click **Edit** to configure **Attributes & Claims**.

    <img src="/files/SW7BGBqItKKZtWjGcTkg" alt="" height="335" width="722">
11. Click **+ Add a group claim**, select **Groups assigned to the application**, and then click **Save**.

    <div align="left"><img src="/files/skeD4C2Aj7HRLLKqLvwA" alt="" height="326" width="719"></div>
12. Click **Edit** to edit **SAML Signing Certificate**.

    <img src="/files/X7nujJChvZzTCsztoKG0" alt="" height="376" width="715">
13. Select **Signing Algorithm** as **SHA-1** and click **Save** to display the **SAML-based Sign-on** page.

    <img src="/files/4oNJPvfOi4fE5anWGZIC" alt="" height="324" width="717">
14. On the **SAML-based Sign-on** page, click the **Copy** icon to copy the metadata URL.

    <div align="left"><img src="/files/fQrEU2UhXGCdttwPmdNp" alt="" height="371" width="697"></div>

### Creating Key-Value Secrets (Optional)

The purpose of this section is to store database and Elasticsearch (ES) details that should not be shared publicly.

To create Key Vault secrets in Azure, complete the following steps:

1. Navigate to **Azure Key Vaults**.

   <div align="left"><img src="/files/K11XHKTGBl4xHMlx0P0l" alt="" height="324" width="636"></div>
2. On the **Key Vaults** page, click **Create**.

   <div align="left"><img src="/files/GSaYI1iPChBT4gI2JTNn" alt="" height="302" width="596"></div>
3. Enter the **Resource group** and **Key vault name**.

   <img src="/files/etGYkXhBRCGLS5SWnpHD" alt="" height="372" width="717">
4. In the **Access Policy** tab, select **Vault access policy** for **Permission Model**, provide **Key**, **Secret**, and **Certificate** permissions to the required users, and click **Review + Create**.

   <img src="/files/wloUBQfoVIU3W25NDoHS" alt="" height="341" width="720">
5. Verify the entered details and click **Create**.

   <img src="/files/YPpTuIPcuCpXQG44Dr5N" alt="" height="716" width="721">
6. After the deployment is complete, click **Go to resource** to open the **Key Vault | Overview** page.

   <img src="/files/d9ODUYVNg2WIRQ8nJk8E" alt="" height="263" width="727">
7. Click **Secrets**.

   <img src="/files/CRucSLkRfzxTwyWjtAvl" alt="" height="344" width="724">
8. Click **+ Generate/Import**.

   <div align="left"><img src="/files/a6bM6aVQr8GymmBoelxu" alt="" height="286" width="678"></div>
9. To create the first secret:

   <div align="left"><img src="/files/qJpcf46295NzjuxzA5lH" alt="" height="424" width="571"></div>

   1. Select **Upload options** as **Manual**.
   2. Enter **Name** as `jdbcstring`.
   3. Enter **Value** as:

      ```
      jdbc:mysql://<host(or)RDSendpoint>:3306/ovaledgedb
      ```
   4. Click **Create**.
10. Create the next secret.

    <div align="left"><img src="/files/dKOBp9XM8tRod28RurCV" alt="" height="368" width="499"></div>

    1. Select **Upload options** as **Manual**.
    2. Enter the **Name** as the database username.
    3. Enter the **Value** as the username used to access the database.
    4. Click **Create**.
11. Enter the **Name** as `password`, enter the **Value** as the database password, and click **Create**.

    <div align="left"><img src="/files/V4CfpejS1YQDste6zvys" alt="" height="335" width="449"></div>
12. Enter the **Name** as `ovaledgeencryptdecryptkey`, enter the desired value, and click **Create**.

    <div align="left"><img src="/files/Vtj0dlhIAFBNHty0h9nR" alt="" height="363" width="509"></div>
13. Navigate to **Access control (IAM)**, select **Role assignments**, and click **+ Add**.

    <img src="/files/H5QA1lR5iEucsoIlRlGz" alt="" height="410" width="720">
14. Select **Add role assignment** on the **Access Control** page.

    <div align="left"><img src="/files/bCr3ZDZZFnbgGsZ68QRM" alt="" height="362" width="641"></div>
15. On the **Add role assignment** page, click **Role** and select **Owner**.

    <div align="left"><img src="/files/N2A4DQA8p3aE6r8FrUHA" alt="" height="342" width="682"></div>
16. Click **Select members**, click **+ Select members**, and select the required application and users.

    <div align="left"><img src="/files/Ewq2HnZcdm20HcJmdHs8" alt="" height="336" width="614"></div>
17. Click **Review + Assign** to display the **Access Policies** page.

    <div align="left"><img src="/files/eqFcwv2WhVGFIINOKcHn" alt="" height="365" width="579"></div>
18. On the **Access Policies** page:

    <figure><img src="/files/MsuOsDMTTUZ1Gkkqus47" alt=""><figcaption></figcaption></figure>

    1. Select the check boxes for:
       1. **Azure Virtual Machines for deployment**
       2. **Azure Resource Manager for template deployment**
       3. **Azure Disk Encryption for volume encryption**
    2. Select **Vault access policy** as the permission model.
    3. Click **Create** to create the policy.
19. Set the following permissions and click **Next**.

    <figure><img src="/files/BvxGwjoUO4n7bi4bvgz1" alt=""><figcaption></figcaption></figure>

    1. **Key permissions:** Get
    2. **Secret permissions:** Get
    3. **Certificate permissions:** Get
20. Search for the username, assign permissions, select the user, then click **Next**.

    <figure><img src="/files/7POwqlte3bjMGQyVKdnn" alt=""><figcaption></figcaption></figure>
21. Select the application that was created and click **Next**.<br>

    <figure><img src="/files/FJ8iye84xlNBRiEsEbCf" alt=""><figcaption></figcaption></figure>
22. Review the configuration and click **Create** to create the access policy.

    <figure><img src="/files/xACmmUsvw8PqdUaitvM6" alt=""><figcaption></figcaption></figure>

### App Registration

Follow the steps below for App Registration.

1. Navigate to **App Registrations**.

   <img src="/files/KIKBH8Y7nCxz3uEKO2B2" alt="" height="351" width="710">
2. Select **All Applications**, search for the application created in the Enterprise Application section (for example, **devatestapp**), and click the application.

   <img src="/files/fOSj2ZJ1Exk3uneRtmk4" alt="" height="213" width="714">
3. Navigate to **Certificates & secrets**, select **Client secrets**, and click **New Client Secret**.

   <img src="/files/DiwhaJJ9xrsoSaoAva4r" alt="" height="321" width="717">
4. Enter any name in the **Description** field and click **Add**.

   <img src="/files/MkozdKGRKp9AN4umKTCy" alt="" height="317" width="715">
5. Copy the **Value ID** and save it in a document.

   <img src="/files/h2VCzTMG2Z2QXHVzzdyB" alt="" height="290" width="727">
6. Click **Overview**, copy the **Client ID** and **Tenant ID**, and save them in a document.

   <img src="/files/6zTUSxxMniJrJYCBpyNu" alt="" height="296" width="718">

### Authentication and Authorization

Follow the steps below to authenticate and access the OvalEdge application.

1. Navigate to the **App Registration** for the Enterprise Application, then click **Token Configuration**. Click **+ Add optional claim**, select **SAML**, select **email** and **upn**, and then click **Add**.<br>

   <figure><img src="/files/Rq5vfKw15ETMWjMpas6L" alt=""><figcaption></figcaption></figure>
2. Enable the Microsoft Graph email and profile permissions (required for claims to appear in the token), and click Add.<br>

   <figure><img src="/files/KpM4kkrcrqqrng1ObKYp" alt=""><figcaption></figcaption></figure>
3. Click **+ Add groups claim**. Select **Security groups**, and then configure the following:

   <figure><img src="/files/0y2sZLAH7GFA8xFoL9z8" alt=""><figcaption></figcaption></figure>

   1. Under **ID**, select **sAMAccountName**.
   2. Under **Access**, select **sAMAccountName**.
   3. Under **SAML**, select **Group ID**.
   4. Click **Add**.
4. Navigate to **App roles**. Click **+ Create app role** and configure the following:

   <img src="/files/2Cacholykqn0WNHAUUbs" alt="" height="372" width="750">

   1. **Display name:** `OE_ADMIN`
   2. **Allowed member types:** `Both (Users/Groups + Applications)`
   3. **Value:** `OE_ADMIN`
   4. **Description:** `OE_ADMIN`
   5. Click **Apply**.
5. Navigate to the **Enterprise Application** and search for the application.

   <img src="/files/aLh23OrOdVTnSCTAGjGr" alt="" height="371" width="750">
6. Click **Assign users and groups**.

   <img src="/files/xA3dkuDnlkrWHrGuDZMk" alt="" height="383" width="750">
7. Click **+ Add user/group**.

   <figure><img src="/files/tW9vKiNF9s4X9uazYNra" alt=""><figcaption></figcaption></figure>
8. Click **None selected**, search for the user, and click **Add**.

   <figure><img src="/files/OaSXy676s0lXml5bxG0h" alt=""><figcaption></figcaption></figure>
9. After selecting the user, assign the role that was created in **Step #4**.

   <figure><img src="/files/Td3falvTP5MtuRi5y2V3" alt=""><figcaption></figcaption></figure>

### Tomcat Configuration

There are two different scenarios for Tomcat configuration.

#### Without Key Vault

In this scenario:

```
azure-dbkeyvault=false
```

Follow the steps below to configure Tomcat.

1. In the `oasis.properties` file, configure the following information.

```
samlHTTPMetadataProvider=<AzureADmetadata>entityBaseURL=https://<DNS NAME>:<PORT>/ovaledgeazure-dbkeyvault=falseazure-tenantid=<tenant id>azure-clientid=<client id>azure-clientsecret=<client secret>azure-resource=https://vault.azure.net
```

<div align="left"><img src="/files/JnVKNngIq3YY6YjL0xQA" alt="" height="340.26328862394433" width="656"></div>

2. Start Tomcat.

#### With Key Vault

In this scenario:

```
azure-dbkeyvault=true
```

Follow the steps below to configure Tomcat.

1. In the Tomcat `setenv.sh` file, add:

   ```
   export CATALINA_OPTS="-DOVALEDGE_SECURITY_TYPE=saml"
   ```
2. Place the following files in the `saml` folder.
   1. `keystore.jks`&#x20;
   2. `azureAD.cer`&#x20;
   3. `keyvault.jar`
3. Add the following information to the `oasis.properties` file.

```
samlHTTPMetadataProvider=<AzureADmetadata>entityBaseURL=https://<DNS NAME>:8443/ovaledgeSAML_PATH=<path to the saml folder>azure-dbkeyvault=trueazure-keyvaulturi=<your key vault uri>azure-tenantid=<your tenant id>azure-clientid=<your client id>azure-clientsecret=<your client secret>azure-resource=https://vault.azure.netazure.secretname.jdbcstring=<secret key>azure.secretname.username=<secret key>azure.secretname.password=<secret key>azure.secretname.encryptdecryptkey=<secret key>
```

{% hint style="info" %}
The secret keys referenced above are the keys created in **Chapter 2**.
{% endhint %}

**Example:**

```
azure.secretname.jdbcstring=jdbcstringazure.secretname.username=usernameazure.secretname.password=passwordazure.secretname.encryptdecryptkey=ovaledgeencryptdecryptkeyKEY=devatestappcertificate
```

![](/files/TDTdesMpl7yHHiBPLgRT)

4. Start Tomcat.
   1. After completing the Tomcat configuration, open a web browser and enter the OvalEdge application URL. The **Login** page is displayed.

      <div align="left"><img src="/files/rJznz0Ic7hsqI2yUYErk" alt="" height="311.1758857992221" width="645"></div>
   2. Click **Login** to open the **Sign-in** page. Enter the required credentials to access the OvalEdge application.

      <div align="left"><img src="/files/w5hNuNijiwfSKmHsVNFd" alt="" height="325" width="623"></div>
   3. You can view the new user role on the **Administration > Users & Roles > Roles** page.

      <div align="left"><img src="/files/NpudtGVQTgOrpWP0R2Kf" alt="" height="294" width="614"></div>

***

Copyright © 2026, OvalEdge LLC, Peachtree Corners, GA, USA.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.ovaledge.com/release8.2/installation-and-settings/authentication-and-sso-setup/microsoft-entra-id-azure-ad.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
