SAML/SSO with Microsoft Entra ID

One of the SAML identity providers (IdP) you can use is Entra ID.
Before setting up your Entra ID integration, please read over our Understanding SAML/SSO article to learn basic concepts and useful tips.
In order to get started with the setup of SSO with Entra ID, you will need:
  • Administration abilities within Microsoft Entra.
  • Super-admin user role within Hudu.
  • All users are provisioned in Entra with the same exact email address. We don't create new user accounts with SSO.
  • Microsoft Account with Entra ID Premium activated.
  • If JIT Provisioning is not enabled, ensure that the users have already been created in Hudu before starting this process.

Just-in-Time (JIT) Provisioning 

Hudu supports Just-in-Time (JIT) provisioning for users signing in through SSO. When a user logs in for the first time via your identity provider, their account will be automatically created based on the attributes and group memberships passed during authentication. 

   ℹ️ Need more details on enabling JIT Provisioning in Hudu?
🔗 Visit our full guide for more information. 

Guides

How to Enable SSO

  1. Login to Hudu and click the Admin tab on the top toolbar.
  2. Click Security.
  3. Click Configure SAML/SSO.
  4. Turn Single Sign-On to On.
  5. Enter SAML details. See the relevant section below on how to fill this information out.
  6. Click Save.

Configuring Entra ID

  • In Microsoft Azure:
    • Navigate to Microsoft Entra ID >> Enterprise Applications.                                                       Entra_Services.png

Entra_Enterprise_Applications.png

  • Click to add a + New Application >> Create your own application.

Entra_New_Application.png

 

Entra_Createyourown_Application.png

  • On the next screen, give your application a name, and click on Integrate any other application you don't find in the gallery (Non-gallery).
    • If you don't have Entra Premium, you won't be able to add a name.

Entra_Createyourown2.png

  • Click Users and Groups and assign users to this application. Click + Add User to add users.
    • Remember, users must have the same exact e-mail address as their Hudu account e-mail address.

2Screen_Shot_2020-01-27_at_22.24.25.png

  • Then, click Single sign-on to configure SSO. Click SAML.

3Screen_Shot_2020-01-27_at_22.26.01.png

 

  • Basic SAML Configuration:
  •  
    • Click the Pencil Icon next to Basic SAML Configuration.

4Screen_Shot_2020-01-27_at_22.28.58.png

  •  
    • Enter the following in the fields:
      • Identifier (Entity ID): Enter your Hudu URL, e.g. https://docs.mywebsite.com
      • Reply URL (Assertion Consumer Service URL): Enter https://docs.mywebsite.com/saml/consume
      • Sign-on URL: Enter https://docs.mywebsite.com
      • Relay State: You can skip filling this in.
      • Logout URL: Enter a URL where Hudu can redirect users after they sign out.
      • Make sure to replace docs.mywebsite.com with your URL and subdomain. There is also no trailing slash at the end of the URL.
  • User Attributes & Claims:
    • Click the Pencil Icon next to the User Attributes & Claims box.

5Screen_Shot_2020-01-27_at_22.35.32.png

  • Click on Unique User Identifier (Name ID)

6Screen_Shot_2020-01-27_at_22.35.59.png

  • If it's not already, set the Source attribute to user.userprincipalname and click Save.
  • Please note that the user's UPN must match their email to use this source attribute. 

entraid.png

  • SAML Signing Certificate:
    • Click the Pencil Icon next to the SAML Signing Certificate box.

8Screen_Shot_2020-01-27_at_22.39.42.png

  • Enter an e-mail to receive notifications and click Save.

Entra_Signing_CERT2.png

  • Final Setup:
    • Finally, the 4th box that says Set up <application-name> will contain the information that needs to be inputted into your Hudu admin area > Security > SSO Settings.

 

Configuring Hudu

  1. In Hudu, with a user role of Admin or Super Admin:
    • Navigate to your Hudu admin area >> Security >> SAML/SSO Configure.
  2. Provide Identity Provider (IdP) information:
    • This is the information from the final setup step above.
    • SAML Issuer URL: This is what Entra ID calls their "Microsoft Entra Identifier." Copy this exactly into Hudu.
      • This SHOULD include the trailing "/".
    • SAML Login Endpoint: This is what Entra ID calls their "Login URL." Copy this exactly into Hudu.
    • SAML Logout Endpoint: This is what Entra ID calls their "Logout URL." Copy this exactly into Hudu.
    • SAML Fingerprint:
      • Download and copy the PEM certificate and paste it into the SAML Certificate field. Make sure there is no extra space trailing at the end!
        • To locate the PEM certificate download, select the pencil icon for SAML certificates and click the three dots in the corner. Select PEM certificate download.

PEM_cert.png

  • Note that the thumbprint given in the SAML Signing Certificate box is the SHA-1 fingerprint.
    In order to obtain the SHA-256 thumbprint: Download the PEM certificate and paste into  https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
    Select the SHA-256 algorithm, and copy the fingerprint provided (formatted or not).
  • If using SHA-256, ensure that you click 'Use SHA-256' in Hudu.
  • SAML Certificate: This is provided by Entra ID, and should be the same certificate used to configure the fingerprint; copy this exactly.

    -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.

SSO_Guide_Entra.png

  • SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to log in (i.e. via password, passwordless, etc.).
  • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
    • Requested Authentication Context may be required for your IdP, but it is typically optional.
      • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
    • If you specify Password in your request, the IdP knows it has to authenticate the user through login/password.
    • If you specify PasswordProtectedTransport in your request, the IdP knows it has to authenticate the user through login/password, protected by SSL/TLS.
3. Click Enable Single Sign-On.
4. Hit Update SAML Details and SAML should now be activated.

 

Testing SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully log in via this button, your SAML is working!
You can also click 'Test SAML' from within your Hudu SAML app in Entra ID.

Exempt Groups from SSO

You have the option to select groups to exempt from SSO. Admins and portal members are always exempt.

exempt_groups_sso.png

 

 

FAQ

Entra ID x509 multi-factor error

Answer: Change SAML ARN to Do Not Pass RequestedAuthnContext (in Hudu)

Notes: Entra ID is restricting access due to the user's authentication context (the method by which they’re logging in). Likely the SAML ARN is set to Password or Password-ProtectedTransport, and the user is using some form of “passwordless” login. Entra ID rejects this because the user is not entering a username/password.

Single Sign-On Authentication Failed

Answer:
If you see “Single Sign-On Authentication Failed,” the certificate thumbprint is incorrect. To fix this:

  1. Navigate to the SAML Certificates section of your application.

  2. Click Edit, then the three dots in the modal on the right-hand side.

  3. Download the PEM certificate.

  4. Use a fingerprint tool to calculate the correct fingerprint.

  5. Enter the corrected fingerprint into your SSO settings in Hudu.

  6. Test again — the login should now succeed.

Related to

Was this article helpful?
1 out of 1 found this helpful