You can integrate with Azure Active Directory (AD) to provide single sign on (SSO) for users from the Lightstep web UI.
Prerequisites
You’ll need the following to integrate Lightstep with Azure AD:
- An admin Azure AD account in an organization with SAML privileges.
- An admin Lightstep user.
- A default user role configured in Lightstep. This is the role assigned to all Azure AD users (you can change it in Lightstep).
Configure Lightstep as an Enterprise Application in Azure AD
- In Azure AD, navigate to the Enterprise Apps page.
-
To add Lightstep, click New Application and then Create Your Own Application. Enter Lightstep for the name and click Create.
Lightstep now appears as an application in Azure AD.
- In the navigation menu, click Single sign-on and then select the SAML card.
-
Click to edit the Basic SAML Configuration panel and enter the following values:
-
Identifier:
https://app.lightstep.com/saml/metadata
-
Reply URL:
https://app.lightstep.com/api/v1/authentication/sso/saml_callback
-
Sign on URL:
https://app.lightstep.com/api/v1/authentication/sso/saml_callback?RelayState=
-
Relay State: You will enter this value (generated by Lightstep) in a later step.
-
- Click Save.
You now need an XML blob to configure communication between Azure AD and Lightstep. - Scroll down to the SAML Certificates section and download the Federation Metadata XML file.
- In a new tab, open Lightstep and click Account management > Single sign on (SSO).
- Paste the XML from the Federation file into the IDP metadata (XML) box.
- Click Save.
Lightstep generates aRelayState
value displayed in the RelayState field. - Copy the
RelayState
value to your clipboard. - Back in the Basic SAML Configuration panel in Azure AD, paste the
RelayState
value into the Relay State field and save.
Enable SSO
You now need to create an Azure AD group and assign Lightstep users to that group. You then add that group to the Lightstep application.
-
In Azure AD, navigate to All Groups and create a new Security Group.
-
Add users to this group (you can add and delete users as needed from here).
-
Back on the Lightstep page, select the Users and Groups menu option and assign the group you just created.
Sign in to Lightstep
Once you’ve assigned the group to Lightstep in Azure AD, users log in directly from Lightstep.
With SSO enabled, users must sign in from the SAML SSO tab.
- Navigate to http://app.lightstep.com.
- Click the SAML SSO tab and enter the email used to create the Lightstep user in Azure AD.
Once you assign users to the Lightstep security group in Azure AD, you can configure JIT (Just In Time) provisioning by authorizing your domain in Lightstep. Users will be able to create a Lightstep account when they log in.