Single Sign-On (SSO) lets your team access Nookal using the same login credentials they already use across your organisation's other applications. Instead of creating and remembering a separate Nookal password, your users sign in through your existing identity provider.
Nookal supports SSO using SAML 2.0.
This guide covers setup with Microsoft Entra ID (formerly Azure Active Directory / Azure AD).
Before you start...
Single-Sign On (SSO) is not available on all accounts. Contact support@nookal.com for more information.
After SSO is activated on your Nookal account, you will need:
• Owner/Manager access to Nookal to enable and configure the SSO integration.
• Administrator access to Microsoft Entra ID with permission to create enterprise
applications and grant admin consent.
Important!
Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID in 2023. Depending on your portal, you may still see the older “Azure AD” labels in some menus. The two names refer to the same service.
Part 1: Create and configure Nookal in Microsoft Entra ID
Step 1: Copy the Tenant ID
1. Sign in to the Microsoft Entra admin center (or the Azure portal) as an administrator and go to Microsoft Entra ID.
2. Within the Overview section under Basic Information, copy the Tenant ID and paste it somewhere you can find easily. You'll paste this into Nookal in Part 2.
Step 2: Create the application
1. While still in Microsoft Entra ID go to Manage > Enterprise applications (in older portals: Azure Active Directory > Enterprise applications).
2. Select New application.
3. Click Create your own application, enter Nookal as the Input name, choose Integrate any other application you don't find in the gallery (Non-gallery), and select Create.
Step 3: Complete SAML setup
1. Open the Nookal application you just created and in the left-hand menu under Manage, select Single sign-on.
2. At Basic SAML Configuration click Edit.
3. Fill in the following fields:
| Field | What to enter |
| Identifier (Entity ID) | Your Nookal Company ID (for example, CLINIC-0001). |
|
Reply URL (Assertion Consumer Service URL) |
The Nookal SSO endpoint that receives the sign-in response. Enter your region URL that shows when you login to Nookal for example: https://auzone3.nookal.com followed by /v2.5/auth/ssoLogin |
4. Save when you're done.
Step 4: Download the signing certificate
1. While in the Single-sign on section, scroll down to SAML Certificates section, locate Certificate (Base64) and select Download and save the file. You'll upload this to Nookal in Part 2.
This certificate is used to sign and verify the data exchanged during sign-in, keeping the
authentication process secure.
Step 5: Assign users and groups
1. In Nookal application's overview page in the left-hand menu, select Users and groups under Manage.
2. Select Add user/group, then choose the users or groups who should be able to sign in to Nookal via SSO.
Important!
The email addresses of the users set up in Azure must match the email address that is entered in their Nookal staff profile.
Only the users and groups you assign here will be able to access Nookal through SSO.
Part 2: Enable and configure SSO in Nookal
1. In Nookal, go to Setup > Extensions > Advanced.
2. Toggle Single Sign-On (SSO) to enable and click Configure.
3. In the SSO Target URL field paste the Tenant ID you copied from Microsoft Entra ID (Part 1, Step 1).
4. Click Upload Signing Certificate and select the Base64 certificate you downloaded (Part 1, Step 4).
5. By default, using SSO will disable users from logging in with Passwords. You can enable this again by toggling Disable Passwords to active.
6. Optionally, choose to allow specific Permission Groups the ability to bypass the SSO password locks.
This can be set by clicking into the Permission Groups field under Override Accounts and selecting applicable Permission Groups from the list.
7. Click Save.
Your SSO connection between Microsoft Entra ID and Nookal is now active!
Part 3: Signing in with SSO
Once SSO is set up, your team can sign in to Nookal using your organisation's credentials:
If you're already signed in to Microsoft elsewhere in your browser, you may be logged straight in without re-entering your credentials.
Frequently Asked Questions
What is Single Logout (SLO)?
When Single Logout is supported and a user signs out of one connected application, a logout request is sent to the identity provider, which then signs the user out of all other active sessions, including Nookal. This ensures users are fully signed out across your connected applications in one step.
Which identity providers does Nookal support?
Nookal supports any identity provider that uses SAML 2.0. This guide covers Microsoft Entra ID; the same principles apply to other providers, though the exact menu names and steps will differ.
Do users still need a separate Nookal password?
No. Once SSO is enabled and a user is assigned access in your identity provider, they sign in using their existing organisational credentials.
Who can access Nookal via SSO?
Only the users and groups you assign to the Nookal application in your identity provider. To revoke access, simply remove the user or group.
Our SSO sign-in suddenly stopped working. What happened?
Confirm the certificate hasn't expired and that the Reply URL and Login URL still match on both sides.
Can we use SSO and standard Nookal logins at the same time?
Yes. Enabling SSO adds the option to log in with SSO; it doesn't remove existing login methods unless you choose to restrict them.