Entra ID Example

Lighthouse can be added as an Enterprise application to Entra ID. This example uses “App roles” to grant users permissions.

To create an Application (Enterprise applications)

1. Go to Entra ID.

2. Go to Enterprise applications.

3. Click New Application.

4. Click Create your own application.

5. Select Integrate any other application you don't find in the gallery (Non-gallery).

6. Name your Application, for example, Lighthouse, then click Create.

7. Click Properties:

   1. Set Assignment required to Yes.

   2. Set Enabled for users to sign-in to Yes.

   3. Click Save.

8. Go to Single sign-on:

   1. Select SAML.

   2. Edit Basic Configuration:

      1. Add an Entity Id lighthouse-entra_id and set it as default.

      2. In Reply URL (Assertion Consumer Service URL) add the SSO URL for each address of each Lighthouse that you want to be able to sign in on, i.e. IP addresses and DNS address for both your primary and secondary Lighthouses.
         https://{primary lighthouse address}/api/v3.7/sessions/saml/sso/entra_id https://{primary lighthouse IP address}/api/v3.7/sessions/saml/sso/entra_id https://{secondary lighthouse address}/api/v3.7/sessions/saml/sso/entra_id https://{secondary lighthouse IP address}/api/v3.7/sessions/saml/sso/entra_id.
         

      3. Set Sign on URL to https://{main lighthouse address}/api/v3.7/sessions/saml/sp_init/entra_id.

      4. Click Save.

   3. Edit Attributes & Claims:

      1. Remove the default claims from Additional claims.

      2. Click Add new claim and enter:

         • Name: LH_Groups

         • Source Attributes: user.assignedroles

IdP Metadata

1. Go to the Entra ID.

2. Go to Enterprise applications and open your application.

3. Go to Single sign-on.

4. Navigate to 3. SAML Signing Certificate and find and download Federation Metadata XML.

Configure Lighthouse

1. Copy the Federation metadata XML to your primary Lighthouse.

2. Using saml-idp-metadata on your primary lighthouse, configure each of your lighthouses to use your IdP:
   For example, saml-idp-metadata -p {root password} create -m /path/to/metadata.xml -P azure_ad -n "My Entra ID display name" -l {LH id number}.

   Note: Where {LH id number} is the configuration ID for Lighthouse. The primary Lighthouse has an ID of 1, and then any secondaries are assigned numbers from 2. You can run the following to obtain a list of your Lighthouse configuration IDs: saml-idp-metadata -p <LH password> list.

App Roles Setup

After this initial setup, you will be able to login as a SAML user. If you do not already have your own User groups setup in Lighthouse, you can set them up as follows:

1. Login to Lighthouse as a local user (or any non-SAML user) i.e. root.

2. Create the User groups with the Roles and permission required.

See Add app roles and get them from a token - Microsoft identity platform for up to date documentation on how to create and assign App Roles.

1. Go to Entra ID.

2. Go to App registrations.

3. Open your app (Use the All Applications tab to see Enterprise apps).

4. Go to App Roles.

5. Click Create App Role.

   1. Set the value to match your usergroup on Lighthouse.

   2. Set Allowed member types to Both (Users/Groups + Applications).

   3. Set the other fields as required.

6. Go to Entra ID.

   1. Go to Enterprise applications.

   2. Open your App, that is, Lighthouse.

   3. Go to Users and groups.

   4. Click Add user/group.

   5. Select a user and one of your App roles then click Assign.

The assigned users are now able to login to Lighthouse with the permission levels which that App Role/Lighthouse group grants them.