Integrate a web application with Conditional Access

In this topic, you will find general instructions on how to integrate a web application with Portnox™ Conditional Access for Applications.

Note: Check the menu on the left-hand side for examples of the most common web applications. Use this general guide only if your specific application is not included in the list.

Create a Portnox Cloud application configuration

In this step, you will create a configuration in Portnox Cloud that will contain all the information necessary to integrate with your web application.

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Applications option.

  3. On the Applications screen, click on the Add application button, and select the Add new SAML application option.

  4. Optional: If you have more than one SAML identity provider configured, select the identity provider in the Select an identity provider to use for this application section.
  5. In the Application details section, enter an Application name and optionally a Description.

  6. Keep this browser tab open. You will need it later.

Open your web application SAML SSO integration settings

In this section, you will access your web application’s administrative interface and find the settings for SAML SSO integration.

  1. In another tab of your browser, open your web application’s administrative interface.

    From now on, we will call this tab the application tab.

  2. In your web application’s administrative interface, find the configuration options for SAML-based single sign-on (SSO).

    Consult the web application documentation if necessary. Some other keywords and acronyms that may help you find the correct configuration section are: identity provider (IdP) or Security Assertion Markup Language (SAML).

Copy configuration values from the Portnox tab to the application tab

In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the web application’s SSO setup section.

  1. In the Portnox tab, in the Service details section, click on the  ⧉  icon next to the Identity Provider Entity ID / Audience URI field to copy the value.

  2. In the application tab, paste the value copied from Portnox Cloud in a field designated for an identifier used to recognize and trust the incoming authentication requests from the application. For example:

    Identifier, Audience, Entity ID, Service Provider Entity ID, SP Entity ID, Service Provider ID, Identity Provider Entity ID, Application ID, Relying Party ID, Trusted ID, Recipient URL, Target URL, Audience URL, or Destination Service.

  3. In the Portnox tab, in the Service details section, click on the  ⧉  icon next to the Sign-In URL / SSO URL field to copy the value.

  4. In the application tab, paste the value copied from Portnox Cloud in a field designated for a URL where the user is redirected for authentication. For example:

    SSO URL, Login URL, IdP Login URL, Authentication URL, Sign-In URL, SSO Sign-In URL, Identity Provider SSO URL, IdP Authentication URL, External Login URL, SSO Endpoint, Authentication Endpoint, IdP Endpoint, or SAML Endpoint.

  5. In the Portnox tab, in the Certificates > Signing certificates section, click on the  ⋮  icon next to the Active certificate and select the Copy certificate option to copy the certificate.

    Note: If the application requires you to upload a certificate instead of pasting it, select the Download certificate option and save the file instead.
  6. In the application tab, paste the certificate copied from Portnox Cloud in a field designated for a certificate. For example:

    Certificate, Signing Certificate, Security Certificate, Public Key Certificate, IdP Certificate, SAML Certificate, Verification Certificate, SSL Certificate,, Digital Certificate, Trusted Certificate, Server Certificate, or Public x509 Certificate.

    Note: If the application requires you to upload a certificate instead of pasting it, upload the certificate file you downloaded in the previous step.
  7. Optional: If the application asks you to specify the URL of a SAML metadata file or to upload a SAML metadata file instead of copying and pasting individual values, in the Portnox tab, copy the value of the URI field in the SAML metadata section and paste the URL in the relevant field in the application, or click on the Download metadata XML file link, save the file, and then upload this file to the application.

Copy configuration values from the application tab to the Portnox tab

In this section, you will copy the values displayed in your web application’s SSO setup section, and paste them in the relevant fields in Portnox Cloud.

  1. In the application tab, look for a field that contains the unique identifier of the service provider, and copy its value. For example:

    Entity ID, Application ID, Service Provider Identifier, SP Identifier, Service Provider ID, Application Entity ID, SAML Entity ID, Relying Party Identifier, Service Provider URL, Service Provider Entity URL, SP URL, or Relying Party URL.

  2. In the Portnox tab, in the Application properties section, click on the empty field under the Entity ID / Service Provider Entity URL heading and paste the value copied from the application.

  3. In the application tab, look for a field that contains the URL to which the identity provider sends the SAML assertion after successfully authenticating a user. For example:

    Reply URL, Recipient URL, Destination URL, Consumer Service URL, SSO Endpoint URL, SSO Response URL, SAML Response URL, SAML Receiver URL, SAML Callback URL, Assertion URL, SAML Assertion URL, Assertion Consumer Service URL, or ACS URL.

  4. In the Portnox tab, in the Application properties section, click on the empty field under the Assertion Consumer Service (ACS) URL / Reply URL heading and paste the value copied from the application.

  5. Optional: In the application tab, look for a field that contains the specific URI where the application expects to receive the authentication response or where the user should be redirected after successful authentication. For example:

    Callback URL, Redirect URI, Return URL, Post-Login URL,, Response URL, Landing URI, Relay State URL, Destination URL, Success URL, Application Login URI, or Post-Authentication Redirect URI.

  6. Optional: In the Portnox tab, click on the OPTIONAL SETTINGS heading, and in the displayed Application Login URI field, paste the value copied from the application.

  7. Optional: In the application tab, look for a field that contains the URL or URLs where a user can be redirected after successfully logging out. For example:

    Sign-out URL, Logout Callback URL, Post-Logout Redirect URI, Logout Redirection URL, Return URL on Logout, Logout Response URL, Signed-Out URL, Logout Endpoint, Session End URL, Logout Success URL, or Allowed Logout URL.

  8. Optional: In the Portnox tab, click on the OPTIONAL SETTINGS heading, and in the displayed Allowed Logout URIs field, paste the value copied from the application.

Finalize the configuration

In this section, you will finalize the configuration in Portnox Cloud and your web application (if necessary).

  1. Finalize the configuration in the Portnox tab.
    1. Optional: In the Application properties section, click on the OPTIONAL SETTINGS heading, and in the Certificate signing option select the signing option that is required by the application.

      Note: Most applications work with the default option: Sign SAML assertion. However, there are few applications (e.g., Paylocity) that require Conditional Access to sign both the assertion and the response.
    2. Optional: If the application requires a signature verification certificate to be active, activate the Require signed authentication request checkbox and click on the Add certificate link below to add the certificate copied from the application tab.
    3. Optional: In the POLICY ASSIGNMENTS section, change the setting to Application-based and then select an access control policy and a risk assessment policy if you want to control access to this application without using groups.
    4. Scroll all the way down to the end of the page, and then click on the Save button.

  2. Perform any final steps in the web application as necessary, for example, test the configuration, save the configuration, assign users, or configure authentication methods.

    Consult your web application’s documentation for information on what steps are necessary.

Result: You have configured the application to be accessible using Portnox Conditional Access for Applications.