Configure SSO SAML with Microsoft Entra ID for your organization¶

Lightrun offers support for Single Sign-On (SSO) using Microsoft Entra ID (formerly known as Azure Active Directory (AD)) as the identity provider (IdP) by integrating Lightrun with the SAML 2.0 integration in Microsoft Entra ID.

Using SAML, Lightrun functions as a service provider, receiving user authentication information from Microsoft Entra ID, which serves as the external identity provider. When SSO is enabled, Lightrun is no longer responsible for user authentication, but still manages the redirection of login requests to the identity provider and verifies the integrity of the response from the identity provider.

Terminology¶

Identity Provider (IdP): A service that manages user accounts, providing authentication services to applications. Lightrun supports Microsoft Entra ID for this purpose.
Service Provider: The website that hosts apps. In this case, it refers to Lightrun.
Service Provider Entity UID: The URL is used to uniquely identify your service provider and is generated in the SSO page in the Lightrun Management Portal.
Single Sign-On URL: This endpoint URL is generated in the SSO page in the Lightrun Management Portal.
Single Sign-On Service URL: The URL is used for sending authentication requests (SAMLAuthnRequest) and is generated in Microsoft Entra ID.

The process of setting up SSO involves these main stages:

Setting up the Lightrun-SAML integration in Microsoft Entra ID.
Configuring and enabling SSO SAML in the Lightrun Management Portal.

Set up Lightrun SAML integration in Microsoft Entra ID¶

Follow these steps to set up Lightrun with SSO SAML.

Step 1: Copy URLs from the Lightrun Management Portal¶

Log in to your Lightrun account.
In the Identity and Access Management tab > Identity Configuration > Provisioning.
To enable SSO, click the SSO toggle.
Click SAML as your authentication method.
Click Azure AD as your Identity Provider. Microsoft Entra ID was formerly named Azure AD.
From the Service Provider's Redirect URL field, click Copy.

This field will serve as the redirect URL used when configuring the identity provider.
From the Service Provider's Entity ID field, click Copy.

This field will serve as the unique identification of the SAML service provider.

Proceed to the next step where you will paste these values in Microsoft Entra ID.

Step 2: Set up the Lightrun application in Microsoft Entra ID¶

Sign in to Microsoft Entra ID and click Enterprise applications in the sidebar.
Select New application.
Select Create your own application.

The Create your own application pane opens.
Enter a name for your new app, for example: <My App>.
Click Create. When the application's Overview page displays, the application is created.
In the <My App> application, under the Manage section, click the Single sign-on tab in the sidebar.
In the Basic SAML Configuration box, click Edit.
In the Identifier (Entity ID) field, paste the Service Provider's Entity ID that you copied from the SSO page in the Lightrun Management Server.
In the Reply URL (Assertion Consumer Service URL) field, paste the Service Provider's Redirect URL that you copied from the SSO page in the Lightrun Management Server.

Enable SSO with Microsoft Entra ID support in Lightrun¶

Step 1: Copy URLs from Microsoft Entra AD¶

In Microsoft Entra AD, access your <My App> application that you configured in the previous stage.
Access the SSO tab, and copy the Sign-On URL.

Proceed to the next step to paste the URL in the SSO page in the Lightrun Management Portal.

Step 2: Configure and enable SSO in the Lightrun Management Portal¶

Log in to your Lightrun account.
Click Settings on the top right-hand side of your screen to navigate to the Identity and Access Management tab > Identity Configuration > Login methods section.
To enable SSO, click the SSO toggle.
Ensure that your external Identity Provider (IdP) is set to Azure AD.
In the Identity Provider's SSO URL field, paste the Sign-On URL you copied in Step 1, which is used to send authentication requests (SAMLAuthnRequest).
Click Save.