You can integrate with Azure Active Directory (AD) to provide single sign on (SSO) for users from the Lightstep web UI.


You’ll need the following to integrate Lightstep with Azure AD:

Configure Lightstep as an Enterprise Application in Azure AD

  1. In Azure AD, navigate to the Enterprise Apps page.
  2. To add Lightstep, click New Application and then Create Your Own Application. Enter Lightstep for the name and click Create. Add Lightstep app in Azure AD

    Lightstep now appears as an application in Azure AD. Lightstep in Azure AD

  3. In the navigation menu, click Single sign-on and then select the SAML card. Configure SAML
  4. Click to edit the Basic SAML Configuration panel and enter the following values:

    • Identifier:

    • Reply URL:

    • Sign on URL:

    • Relay State: You will enter this value (generated by Lightstep) in a later step.

    SAML configuration

  5. Click Save.
    You now need an XML blob to configure communication between Azure AD and Lightstep.
  6. Scroll down to the SAML Certificates section and download the Federation Metadata XML file. Federation XML file
  7. In a new tab, open Lightstep and click Account management > Single sign on (SSO).Account Settings
  8. Paste the XML from the Federation file into the IDP metadata (XML) box.SSO configuration in Lightstep
  9. Click Save.
    Lightstep generates a RelayState value displayed in the RelayState field.
  10. Copy the RelayState value to your clipboard.
  11. Back in the Basic SAML Configuration panel in Azure AD, paste the RelayState value into the Relay State field and save.RelayState in Azure AD

Enable SSO

You now need to create an Azure AD group and assign Lightstep users to that group. You then add that group to the Lightstep application.

  1. In Azure AD, navigate to All Groups and create a new Security Group. New security group

  2. Add users to this group (you can add and delete users as needed from here).

  3. Back on the Lightstep page, select the Users and Groups menu option and assign the group you just created. Add the group to Lightstep Assign the group to Lightstep

Sign in to Lightstep

Once you’ve assigned the group to Lightstep in Azure AD, users log in directly from Lightstep.

With SSO enabled, users must sign in from the SAML SSO tab.

  1. Navigate to
  2. Click the SAML SSO tab and enter the email used to create the Lightstep user in Azure AD.Lightstep sign in from SAML tab

Once you assign users to the Lightstep security group in Azure AD, you can configure JIT (Just In Time) provisioning by authorizing your domain in Lightstep. Users will be able to create a Lightstep account when they log in.