All Collections
User Management and Single Sign On
SSO Authentication
Lumoa Single Sign On (SSO)
Lumoa Single Sign On (SSO)

Documentation describing the steps in Azure to get SSO turned on correctly.

Garen DiBernardo avatar
Written by Garen DiBernardo
Updated over a week ago

What is SSO?

Single Sign On is a service that allows you to log in to Lumoa using your work email and directory. After SSO has been turned on, you will no longer need to invite people to join Lumoa. Assuming they are in your Azure Directory, they can navigate to the login page of Lumoa and immediately get access. This reduces manual invites and makes getting new users into Lumoa a faster, smoother process.

To get SSO up and running, you are required to go through an Installation process. After, we recommend that you set up Groups and Roles within your Azure Directory so that future users can have customer permissions. If you do not, all accounts in Lumoa will have the same roles and permissions.

Note: Completing the SSO installation does require a fee. Either before or after you take the steps outlined below, contact your CS manager for more information. If you are not sure of your CS manager, contact [email protected]

Installation

1. Login to https://portal.azure.com with an account that has administrative rights

2. Search and open "App registrations" (part of Azure Active Directory)

3. Click "New registration", fill in the name (descriptive example: lumoa-nps-dashboard-prod) and set RedirectURI to "https://api.lumoa.me/api/v1/sso/azuread" in the following form and press "Register"

4. When application is created in the Overview section write down TenantID and ApplicationID

5. Open "Authentication" tab for the application and check "ID tokens" in "Implicit grants" section and click "Save

6. Go to “Certificates & Secrets” and create a new client secret that expires in 24 months

7. Copy newly created client secret

  1. Forward the following info your Lumoa account manager:

    1. TenantID

    2. ApplicationID (also staging ApplicationID if relevant)

    3. Client secret

    4. what domains the SSO should include

  2. That’s it! Lumoa team will take care of the rest and contact you when SSO is activated 😊

Note: After SSO is turned on, you no longer need to Invite people to join Lumoa. Simply have them access our Login Page, and after they input their email, they will be redirected if the SSO steps above were done correctly (and if the user exists within your Directory).

Defining SSO roles for Lumoa Application

This next step is about defining roles in Lumoa. If you just complete the Installation steps above, then everyone who logs into Lumoa will have the same basic role of "User". Check out our list of roles and permissions for more info.

If you want some people to be added to Lumoa as "Admins", so that they can do things like upload data or manage settings, then you need to complete the below steps where you define SSO roles.

To start, in your Azure portal, go to your Azure Active Directory. From the left menu select App registrations, search for the Lumoa application you have added and click on it.

  • In the left menu select App roles and click Create app role and create roles according to the below screenshot. The important column is value as these need to match so that roles are correctly mapped in Lumoa and allowed member types. Display name and descriptions are up to you have you want to name them.

  • Now if you don’t already have groups you want to use for Lumoa App roles, go to Azure Active Directory, select Groups from the left menu and create the groups you want by clicking New group. You can directly assign members or do that later.

  • Now go back to Azure Active Directory and select from the left menu Enterprise Applications. Search by the same application name as in App Registrations and click on it.

  • In the left menu you should now see the item Users and groups, click on it.

  • Click add user/group

  • First click on the "None Selected" under Users and groups, search for the user/group and click it. Remember to click "select" in the bottom of the screen. Next click "None Selected" under "Select a role" and select the role you want to assign this group. Remember again to click "select" in the bottom of the screen. After this click the "Assign" button in the bottom left.Note:

Note: After creating these roles, please check that in your API permissions there is the "openid" permission, and if not, please grant it (see image below):

Log out

Please note that Lumoa asks for refreshed user information every 10 minutes. If your Azure Directory (AD) recognize that the user is disabled or an admin revokes their access tokens, then the user is automatically logged out. This automatic log-out only applies to companies who have provided their Client Secret to Lumoa.

Get in touch

📧 Do you have any questions or comments about using Lumoa? Please don't hesitate to email Lumoa Support at [email protected].

Did this answer your question?