Generic IdP Setup

This section describes how to integrate Lighthouse with your Generic Identity Provider (IdP) Application.

In case Lighthouse's supported IdPs doesn't include your identitiy provider, use the Generic IdP setup. This has been made as general as possible to meet expectations of all IdPs in the market today.

Note:You must have your user groups setup in Lighthouse prior creating & assigning them via the IdP. See the example in step 6 of the Okta configuration later in this topic.

Note:The {provider} in the steps must exactly match one of our provider strings that is, generic, okta, azure_ad, onelogin.

  1. Create an application integration for "Lighthouse" in your IdP

  2. Set ACS or consumer URL as https://{main lighthouse address}/api/v3.7/sessions/saml/sso/{provider}

  3. Set the Allowed SSO URLs or Allowed redirect URLs or ACS URL Validator to include or match the /saml/sso/ URL for each address of each of your Lighthouses that you want users to be able to login from.

Example:

https://{main lighthouse address}/api/v3.7/sessions/saml/sso/{provider}
https://{main lighthouse ip address}/api/v3.7/sessions/saml/sso/{provider}
https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/{provider}

Depending on your IdP you may need to include the /saml/sp_init/ URLs.

https://{main lighthouse address}/api/v3.7/sessions/saml/sso/{provider}
https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/{provider}
https://{main lighthouse ip address}/api/v3.7/sessions/saml/sso/{provider}
https://{main lighthouse ip address}/api/v3.7/sessions/saml/sp_init/{provider}
https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/{provider}
https://{secondary lighthouse address}/api/v3.7/sessions/saml/sp_init/{provider}

  1. Set the Service Provider EntityID or Audience as lighthouse-{provider}

  1. If your service provider requires you to configure the Recipient

  • And only allows a single value

  • And you run multiple Lighthouses or access Lighthouse via multiple addresses

Then either:

  • Set the recipient as lighthouse-{provider} and use the onelogin option as your provider configuration.

  • Or if you only access each via a single address you could create a separate application integration per lighthouse.

  1. If your IdP has the option then set the initiator to the Service Provider

  2. Set your IdP to sign the Assertion for SAML