> For the complete documentation index, see [llms.txt](https://docs.ovaledge.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.ovaledge.com/release8.2/installation-and-settings/authentication-and-sso-setup/microsoft-entra-id-azure-ad-without-key-vault.md).

# Microsoft Entra ID (Azure AD) Without Key Vault

This article describes how to integrate OvalEdge with Microsoft Entra ID (formerly Azure Active Directory) using the SAML 2.0 protocol without Azure Key Vault. The integration enables Single Sign-On (SSO), allowing users to authenticate through Microsoft Entra ID and access OvalEdge using their enterprise credentials.

The configuration process includes creating and configuring an Enterprise Application in Microsoft Entra ID, setting up SAML-based authentication, configuring user and group claims, creating and assigning application roles, and updating OvalEdge configuration settings to establish trust between Microsoft Entra ID and OvalEdge.

In this deployment model, SAML metadata and authentication settings are configured directly within the application environment without using Azure Key Vault for certificate or secret management. After the integration is completed, user authentication is managed through Microsoft Entra ID, while authorization is controlled through configured roles and group assignments.

### Purpose

This document enables administrators to:

* Configure Microsoft Entra ID as the Identity Provider (IdP) for OvalEdge.
* Enable SAML 2.0-based Single Sign-On (SSO) authentication.
* Configure user, group, and role claims in Microsoft Entra ID.
* Create and assign Microsoft Entra ID application roles for OvalEdge users and groups.
* Configure OvalEdge to consume Microsoft Entra ID SAML metadata without Azure Key Vault integration.
* Verify successful authentication and role assignment within OvalEdge.

### The Setup

Please follow the steps below to integrate the OvalEdge application with Azure Active Directory and run the OvalEdge application with https.

**Example:** https\://\<DNS>:8443/ovaledge

1. **Create an Enterprise application in Azure:** It is used to authenticate Azure users in the OvalEdge application.
2. **Authentication and Authorization:** This section explains how to create roles and groups in the AD and add members to the group.
3. **Tomcat Configuration:** It is used to configure Azure with the OvalEdge Application.

### 1. Create an Enterprise application in Azure

To create an Enterprise application in Azure, complete the following steps:

**Step#1:** Navigate to Azure Active Directory and click on the **Azure Active Directory**.

<div align="left" data-with-frame="true"><img src="/files/etpkB0Gs8nl79tCDo9jl" alt="" height="288" width="624"></div>

**Step#2:** Click on the **Enterprise Applications** to display the Enterprise applications page.

<div align="left" data-with-frame="true"><img src="/files/UpW1jmcZTIVqo0yONCR4" alt="" height="325" width="624"></div>

**Step#3:** On the Enterprise applications page, click **+ New Application**, which will display the Browse Azure AD Gallery Page.

<div align="left" data-with-frame="true"><img src="/files/i9rd7aUchikzJiwWtXPs" alt="" height="281" width="624"></div>

**Step#4:** On the Browse Azure AD Gallery page, click on **Create your own application**.

<div align="left" data-with-frame="true"><img src="/files/9MUkzOW3rp00JZa2HUv3" alt="" height="332" width="624"></div>

**Step#5:** Name the application and click on **Create**.&#x20;

<div align="left" data-with-frame="true"><img src="/files/sTANWhFPwPBb6Nm2DuWX" alt="" height="381" width="624"></div>

**Step#6:** Open the application you have created, click on ‘Single Sign-on’ and select ‘SAML’.

<div align="left" data-with-frame="true"><img src="/files/yZhriOHJxAxKfZKQohc2" alt="" height="344" width="624"></div>

<div align="left" data-with-frame="true"><img src="/files/3nM0q0ZmIMZyTepaswYO" alt="" height="277" width="624"></div>

**Step#7:** Click on Edit to edit 'Basic SAML Configuration'.

<div align="left" data-with-frame="true"><img src="/files/i0q6FQKxapZTI0HvbvkR" alt="" height="341" width="624"></div>

**Step#8:** Enter https\://\<DNS>/ovaledge/saml/metadata for identifier, https\://\<DNS>/ovaledge/saml/SSO for 'Reply URL (Assertion Consumer Service URL)' and https\://\<DNS>/ovaledge/saml/SingleLogout for 'Logout Url (Optional)'. Click on Save.&#x20;

{% hint style="info" %}
Please mention the port if such a configuration is made. &#x20;
{% endhint %}

<div align="left" data-with-frame="true"><img src="/files/EPtuisQLauoaNFatfKcn" alt="" height="687" width="624"></div>

**Step#9.1:** Click on Edit to configure 'Attributes & Claims'.

<div align="left" data-with-frame="true"><img src="/files/9lusexV3gPKupfGP6m1Y" alt="" height="155" width="624"></div>

**Step#9.2:** Click on '+ Add a group claim' and select 'Groups assigned to the application' and then click save.

<div align="left" data-with-frame="true"><img src="/files/VQwAcDRkbICl7cxJMJ7Z" alt="" height="328" width="624"></div>

**Step#9.3:** Click on Edit to edit 'SAML Signing Certificate'.

<div align="left" data-with-frame="true"><img src="/files/tm7oAYEzvtE9J8Osefc6" alt="" height="388" width="607"></div>

**Step#10:** Select 'Signing Algorithm' as 'SHA-1' and click 'Save' to display the SAML-based Sign-on Page.

<div align="left" data-with-frame="true"><img src="/files/sk0MMYto6zytTatYwx52" alt="" height="297" width="624"></div>

**Step#11**: On the SAML-based Sign-on Page, click on the Copy icon to copy the metadata URL.

<div align="left" data-with-frame="true"><img src="/files/ehTWUk6YE7pGHwdKajgz" alt="" height="308" width="624"></div>

### 2. Authentication and Authorization for Remote Configuration

{% hint style="warning" %}
If the authorization is Hybrid can skip this step.&#x20;
{% endhint %}

Please follow the steps below to authenticate and authorize with Azure AD to log in to the OvalEdge application.

**Step#1:** Navigate to APP registration corresponding to the enterprise application and click on the 'Token Configuration'. Click on '+ Add optional claim', and select 'SAML'. Under SAML, select email and up and click on 'Add.'

<div align="left" data-with-frame="true"><img src="/files/9WNGEoOaY47EYIa7QHAz" alt="" height="327" width="624"></div>

**Step#2:** Enable 'Turn on the Microsoft Graph email, profile permission (required for claims to appear in token)' and click on add.

<div align="left" data-with-frame="true"><img src="/files/52qUUWw6vwuw03ET90gr" alt="" height="172" width="624"></div>

**Step#3:** Click on '+ Add groups claim'. select security groups and under ID select 'sAMAccountName', under Access select 'sAMAccountName', under SAML select 'Group ID'. And then click on 'add'.

<div align="left" data-with-frame="true"><img src="/files/iPLzJh5ruad5CXj83OK4" alt="" height="327" width="624"></div>

**Step#04:** Navigate 'App roles'. Click on '+ Create app role', enter display name as 'OE\_ADMIN,' select 'Allowed member types' as 'Both (Users/Groups + Applications),' give value as 'OE\_ADMIN,' enter Description as 'OE\_ADMIN' and click on apply.

<div align="left" data-with-frame="true"><img src="/files/uYeazv0plFkfFwemz6CX" alt="" height="327" width="624"></div>

**Step#05:** Navigate to the Enterprise application and search for the application.

<div align="left" data-with-frame="true"><img src="/files/jbnAzTcLcDGizsInvGua" alt="" height="262" width="603"></div>

**Step#06:** Click on assign and user groups

<div align="left" data-with-frame="true"><img src="/files/Aq5AFR2LLFUo3bgSvbDK" alt="" height="284" width="624"></div>

**Step#07:** Click on + add user/group

<div align="left" data-with-frame="true"><img src="/files/1xC1EoHL1hNHpvYuDtg6" alt="" height="330" width="619"></div>

**Step#08:** Click on none selected search user and click on add. &#x20;

<div align="left" data-with-frame="true"><img src="/files/4qfaj51UIdv2nK8vGLLj" alt="" height="324" width="624"></div>

**Step#09:** The user selects assign a role that was already created under **Step#04**.

<div align="left" data-with-frame="true"><img src="/files/78a17vDks1bjgbDAQjtB" alt="" width="375"></div>

### 3. Tomcat Configuration

Please follow the below steps to configure Tomcat the Azure AD with OvalEdge app.

**Step#1:** In the oasis.properties configure the below information.

samlHTTPMetadataProvider=\<AzureADmetadata>

entityBaseURL=https\://\<DNS NAME>/ovaledge

<div align="left" data-with-frame="true"><img src="/files/1FsKH8QbUYIyKCKBBX1u" alt="" height="135.36900506657125" width="624"></div>

**Step#2:** Start the Tomcat.

After running the Tomcat configuration, go to the web browser and enter the URL to log in to the OvalEdge application, which will display the Login page below.

<div align="left" data-with-frame="true"><img src="/files/rqlJRCUi0uC7EthRAu4m" alt="" height="301.1379539992472" width="624"></div>

**Step#3:** Click on Login to see the Sign-in page. Enter the required credentials to enter into the OvalEdge application.

<div align="left" data-with-frame="true"><img src="/files/G1EB4Ojr5wSuNXup7ZS6" alt="" height="325" width="623"></div>

**Step#4:** User can view the new user role on the Administration > User’s & Roles > Roles page.

<div align="left" data-with-frame="true"><img src="/files/U2RPrHPEvWkMUYgxjjTS" alt="" height="294" width="614"></div>

***

Copyright © 2025, OvalEdge LLC, Peachtree Corners, GA, USA.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.ovaledge.com/release8.2/installation-and-settings/authentication-and-sso-setup/microsoft-entra-id-azure-ad-without-key-vault.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
