Configure OIDC SSO with Microsoft Entra ID (Azure AD) for your organization¶

From version 1.42, Lightrun offers support for Single Sign-On (SSO) using Microsoft Entra ID as your identity provider (IdP) by integrating Lightrun with OIDC (OpenID Connect) integration in Microsoft Entra ID.

Using OIDC, Lightrun functions as a service provider, receiving authentication information from Entra ID, acting as the external identity provider. When SSO is enabled, Lightrun delegates authentication requests to the customer's IdP and grants users access to Lightrun in accordance with the IdP's response.

Once you have set up your SSO with OIDC, proceed to create your Lightrun users in the User Management page.

Setting up SSO involves copying and pasting values between Microsoft Entra ID and the OIDC page in the Lightrun Management Portal, and vice versa.

Get Lightrun’s Redirection URL¶

1. Log in to your Lightrun Management Portal.
2. Click Settings on the top right-hand side of menubar.

3. Set OIDC as your SSO Protocol based on your version:

   • For version 1.54 and higher.
     1. Navigate to the Identity Configuration > Login Method tab.
     2. From the list, select Single Sign-On (SSO).

     3. Select OIDC as your SSO protocol.

        

   • For version 1.53 and earlier.
     1. Navigate to the Identity and Access Management > Identity Configuration > Provisioning
     2. Click SSO toggle to enable SSO.
     3. Select OIDC as your SSO Protocol.

4. From the Service Provider's Redirect URL field, click Copy.

   This serves as the redirect URL used when configuring the identity provider. Note that at this point, SSO is not enabled with OIDC in Lightrun and will be activated in the next steps.

Set up OIDC SSO using Microsoft Entra ID¶

1. Sign in to Microsoft Entra ID and click Add+.

2. Select App registration from the list.

   

   The Register an application dialog opens.

3. Enter the app details. For example, Lightrun-onprem.

   

4. Click Register.

   The application is created.

5. Copy the Application (client) ID.

   

6. Log in to the Lightrun Management Portal. Navigate to Settings > Identity Configuration > Login Method > Single sign on (SSO).

7. Select OIDC, and paste the Application (client) ID from Azure to Identity Provider’s Client ID in Lightrun.

   

8. Go to Microsoft Entra ID, and click Endpoints and copy the OpenID Connect metadata document value.

   

9. Provide the Identity Provider’s addiitional parameters.

   

   Choose one of the following methods:

   • Select the Import additional parameters from Discovery URL option.

     Enter the following URL, where <CUSTOMER_NAME_HERE> is the domain name of your Entra ID setup, as follows: https://<CUSTOMER_NAME_HERE>.entra.com/.well-known/openid-configuration.

   • [Supported from version 1.61] Select the Import additional parameters from JSON file option.

     If your identity provider does not support discovery URLs, you can create using a JSON file that includes all necessary parameters and upload it to the SSO OIDC settings page.

     a. Open a text editor (e.g., Notepad, VS Code).

     b. Copy and paste the JSON structure as displayed as follows.

      Example JSON format:
     

        {  
           "useJwksUrl": "true",
           "jwksUrl":"https://your-idp.com/.well-known/jwks.json",
           "authorizationUrl":"https://your-idp.com/oauth2/authorize",
           "tokenUrl": "https://your-idp.com/oauth2/token",
           "userInfoUrl": "https://your-idp.com/oauth2/userinfo",
           "logoutUrl": "https://your-idp.com/logout",
           "issuer": "https://your-idp.com", 
           "defaultScope": "openid email profile"
        }  
     

     Your JSON must include the following parameters:

     Parameter	Description
     useJwksUrl	Indicates whether to use the JWKS URL for verifying tokens. Set to "true" to enable.
     jwksUrl	The URL to the JSON Web Key Set used to validate ID tokens.
     authorizationUrl	The URL used to initiate the login flow.
     tokenUrl	The URL used to exchange the authorization code for an access token.
     userInfoUrl	The URL to retrieve user profile information using the access token.
     logoutUrl	The URL to redirect users for logging out of the identity provider.
     issuer	The expected iss (issuer) claim in tokens. Must match what the identity provider issues.
     defaultScope	List of scopes requested during login. Typically includes openid, email, and profile.

     c. Replace each placeholder (e.g., <your-issuer-url>) with actual values from your identity provider (such as Entra).

     d. Click Upload. e. Click Save.

10. In Microsoft Entra ID, under Client credentials, click Add a certificate or secret.

    

11. Under the Client Secrets tab, click New client secret.

    

    The Add a Client secret dialog opens.

12. Provide an intuitive name in the Description field.

13. Copy the secret value that was generated (not the secret ID).

    

14. Go to the OIDC tab in the Lightrun Management Portal and paste the secret in the Identity Provider’s Client Secret field.

    

15. In the OIDC page, copy the Service Provider’s Redirect URI.

16. Go to Microsoft Entra and click Redirect URIs > Add a Redirect URI.

    

17. Paste the Redirect URI that you copied in step 15.

    

18. Test the SSO implementation.

    In the Lightrun login page, click Single Sign-On.

    

19. Enter your email and click Log in.

    The Permissions requested dialog opens.

    

20. Select the Consent on behalf of your organization checkbox.

21. Click Accept.

    You are successfully logged into Lightrun with SSO using Microsoft Entra ID.