Skip to main content

Open-ID Connect SSO with Entra ID

Updated over 2 weeks ago

From Corporate V4.2, this integration is self-service. Luminance Account Administrators configure and manage the integration in Luminance.

OpenID Connect Single Sign-On Setup with Entra ID

Note: You need administrator access to the Azure Portal and Account Administrator access to Luminance

Step 1: Register an Application in Microsoft Entra ID

  1. Sign in to the Azure Portal

  2. Select your account and switch directory if required

  3. Navigate to Microsoft Entra ID

  4. Select App registrations

  5. Click New registration

  6. Configure the application using the table below

  7. Click Register

Setting

Value

Name

Enter Luminance or another descriptive name

Supported account types

Select the option that reflects your organization's requirements (typically "Accounts in this organizational directory only")

Redirect URI

Platform: Web
URI's:
- https://<your-luminance-url>/auth/callback
- https://<your-luminance-proxy>.app.luminance.com/auth/callback

Note: Replace <your-luminance-url> with your Luminance instance URL (e.g., acme-corporate.app.luminance.com)

Step 2: Configure Authentication

  1. Navigate to Authentication

  2. Enable ID tokens under Implicit grant and hybrid flows

  3. Add a second redirect URI: https://<your-luminance-proxy>.app.luminance.com/auth/callback

  4. Click Save

Note: Retrieve the <proxy> value using:
- dig +short <your-luminance-url> in Terminal
- Resolve-DnsName <your-luminance-url> in Powershell

Step 3: Note Your Application Details

Collect the following values from the Overview page:

  • Application (client) ID

  • Directory (tenant) ID

Step 4: Create the Integration in Luminance

  1. Log in to Luminance as an Account Administrator

  2. Navigate to Account SettingsIntegrations

  3. Click Create Integration

    Entra ID Create Integration

  4. Select Entra ID and complete the fields in the table below

  5. Click Create

Field

Required

Description

Name

Yes

Enter a descriptive name (e.g., Microsoft SSO or Entra ID). Users may see this on the login screen.

Type

Yes

Select SSO or SSO (Autoprovision)

Application (client) ID

Yes

The Application (client) ID from Step 3

Directory (tenant) ID

Yes

The Directory (tenant) ID from Step 3

Step 5: Test SSO

  1. Open a new incognito or private browser window

  2. Navigate to your Luminance URL

  3. Click Log in with SSO, or enter an SSO-enabled email address

  4. Sign in via Microsoft

  5. Confirm access to Luminance

Note: Test immediately after configuration to identify and resolve issues early.

Managing SSO Profiles

Existing Users

  1. Navigate to Account SettingsUsers and select the user

  2. Click Edit

  3. Click + and select the SSO Identity Provider

  4. Enter the user’s email address

  5. Save the changes

User Profiles Dialog

Auto-Provisioning

If you select SSO (Autoprovision):

  • Create user accounts on first sign-in

  • Assign no permissions or document access by default

  • Require an Account Administrator to assign divisions and groups

Autoprovision Linking

  1. Navigate to Account SettingsSecurity

  2. Locate the Autoprovision Linking table

  3. Click +

  4. Enter a filter (e.g., @yourcompany.com$)

  5. Select a user group

Security - Autoprovision Linking

Security best practices

  • Restrict account types to your organization

  • Enable ID tokens only—do not enable access tokens unless required

  • Use Conditional Access for MFA or device compliance

  • Review application registration regularly

  • Test with a single user before rollout

Usage: Expected Behavior

Use the table below to understand expected SSO behavior after setup.

Behavior

Details

Sign-in flow

Users click Log in with SSO and are redirected to Microsoft. After authentication, they are returned to Luminance

Session management

Luminance creates a session after validating the ID token. Session duration is controlled by Luminance

Auto-provisioning

Create accounts on first sign-in. No permissions assigned by default

Existing users

Require an SSO profile before signing in

Password login

Users can sign in with SSO or password if both are configured

Claims Mapping

Not supported for Entra ID (OpenID Connect). Use SAML 2.0 for group mapping

Troubleshooting

Use this table to identify and resolve common issues.

Issue

Cause

Resolution

No option to log in via SSO

Integration not created

Create the Entra ID integration in Account SettingsIntegrations

AADSTS50011: The redirect URI does not match

Redirect URI mismatch

Verify both redirect URIs are configured in Azure

“User not enabled” after SSO login

No SSO profile linked

Create an SSO profile (see Managing SSO Profiles)

User gets a new empty account

Duplicate account created

Delete the duplicate and link the original account

AADSTS700016: Application not found

Incorrect Application (client) ID

Verify the Application (client) ID matches Azure Portal

Related Articles
Box
Dropbox
Microsoft Outlook
SAML 2.0 SSO
SharePoint Azure
Did this answer your question?