Azure Example - Active Directory

Lighthouse can be added as an Enterprise application to Azure Active Directory. This example uses “App roles” to grant users permissions.

To create an Application (Enterprise applications)

1. Go to Azure Active Directory.

2. Go to Enterprise applications.

3. Click New Application.

4. Click Create your own application.

5. Select Integrate any other application you don't find in the gallery (Non-gallery).

6. Name your Application, for example, Lighthouse, then click Create.

7. Click Properties:

   1. Set Assignment required to Yes.

   2. Set Enabled for users to sign-in to Yes.

   3. Click Save.

8. Go to Single sign-on:

   1. Select SAML.

   2. Edit Basic Configuration:

      1. Add an Entity Id lighthouse-azure_ad and set it as default.

      2. In Reply URL (Assertion Consumer Service URL) add the SSO URL for each address of each Lighthouse that you want to be able to sign in on, i.e. IP addresses and DNS address for both your primary and secondary Lighthouses.
         https://{primary lighthouse address}/api/v3.7/sessions/saml/sso/azure_ad https://{primary lighthouse IP address}/api/v3.7/sessions/saml/sso/azure_ad https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/azure_ad https://{secondary lighthouse IP address}/api/v3.7/sessions/saml/sso/azure_ad.
         

      3. Set Sign on URL to https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/azure_ad.

      4. Click Save.

   3. Edit Attributes & Claims:

      1. Remove the default claims from Additional claims.

      2. Click Add new claim and enter:

         • Name: LH_Groups

         • Source Attributes: user.assignedroles

IdP Metadata

1. Go to the Azure Active Directory.

2. Go to Enterprise applications and open your application.

3. Go to Single sign-on.

4. Navigate to 3. SAML Signing Certificate and find and download Federation Metadata XML.

Configure Lighthouse

1. Copy the Federation metadata XML to your primary Lighthouse.

2. Using saml-idp-metadata on your primary lighthouse, configure each of your lighthouses to use your IdP as follows:
   For example, saml-idp-metadata -p {root password} create -m /path/to/metadata.xml -P azure_ad -n "My Azure display name" -l {LH id number}.

App Roles Setup

After this initial setup, you will be able to login as a SAML user. If you do not already have your own User groups setup in Lighthouse, you can set them up as follows:

1. Login to Lighthouse as a local user (or any non-SAML user) i.e. root.

2. Create the User groups with the Roles and permission required.

See Add app roles and get them from a token - Microsoft identity platform for up to date documentation on how to create and assign App Roles.

1. Go to Azure Active Directory.

2. Go to App registrations.

3. Open your app (Use the All Applications tab to see Enterprise apps).

4. Go to App Roles.

5. Click Create App Role.

   1. Set the value to match your usergroup on Lighthouse.

   2. Set Allowed member types to Both (Users/Groups + Applications).

   3. Set the other fields as required.

6. Go to Azure Active Directory.

   1. Go to Enterprise applications.

   2. Open your App, that is, Lighthouse.

   3. Go to Users and groups.

   4. Click Add user/group.

   5. Select a user and one of your App roles then click Assign.

The assigned users are now able to login to Lighthouse with the permission levels which that App Role/Lighthouse group grants them.