Configure Microsoft Entra ID (OIDC) SSO
This guide details how to register an application in Microsoft Entra ID to use for OIDC-based Single Sign-On (SSO) with Lumonic.
Part 1: Create the Entra ID App Registration
Part 1: Create the Entra ID App Registration
Sign in to the Microsoft Entra admin center.
Navigate to App registrations.
Click + New registration.
Enter a Name (e.g., "Lumonic SSO").
For Supported account types, select Accounts in this organizational directory only (Single tenant).
Under Redirect URI:
Select Web.
Enter the callback URL:
https://app.lumonic.com/auth/oidc/callback
Click Register.
Part 2: Gather Required Credentials
Part 2: Gather Required Credentials
On your new app's Overview page:
Client ID: Copy the Application (client) ID. You will need this for the Lumonic configuration.
Metadata URL:
Click Endpoints.
Copy the OpenID Connect metadata document URL. This will be used for auto-discovery in Lumonic.
Part 3: Configure App Settings in Entra ID
Part 3: Configure App Settings in Entra ID
Generate Client Secret
Navigate to Manage > Certificates & secrets.
Click + New client secret.
Add a description, set an expiration, and click Add.
Important: Immediately copy the secret's Value (not the ID). This is your Client Secret for Lumonic and will not be shown again.
Configure Authentication
Navigate to Manage > Authentication.
Under Implicit grant and hybrid flows, check the box for ID tokens (used for implicit and hybrid flows).
In the Front-channel logout URL field, enter:
https://app.lumonic.com/logoutClick Save.
Configure Branding
Navigate to Manage > Branding & properties.
In the Home page URL field, enter:
https://app.lumonic.com/auth/sso/initiate/{your-client-id}This is required for IDP initiated (from portal) SSO
Replace
{your-client-id}with the Application (client) ID you copied in Part 2.Click Save.
Part 4: Set API Permissions
Part 4: Set API Permissions
Navigate to Manage > API permissions.
Click + Add a permission, then select Microsoft Graph.
Choose Delegated permissions.
Check the following permissions:
emailoffline_accessopenidprofileUser.Read
Click Add permissions.
Click Grant admin consent for [Your Organization] and confirm with Yes.
Part 5: Configure Lumonic
Part 5: Configure Lumonic
You will need the three items gathered from Entra ID:
Client ID (from Part 2)
Client Secret (from Part 3)
Metadata URL (from Part 2)
In Lumonic, navigate to the Team > Security tab.
Click to Configure SSO.
Enter a Display Name (e.g., "Microsoft Entra SSO").
Paste the Client ID and Client Secret into their respective fields.
Paste the Metadata URL into the Auto Discovery field. This will automatically populate the required endpoints.
(Optional) Enable Auto-provision and select a default role for users signing in for the first time. This is required if you want IDP initiated login (users coming from a general app portal like https://myapps.microsoft.com/
Part 6: Configure User Access (Enterprise Application)
Part 6: Configure User Access (Enterprise Application)
(Optional) for making applications visible in my apps portal and to ensure only assigned users can access the app.
To make the app visible to inside app dashboards for users
In the Microsoft Entra admin center, navigate to Enterprise applications.
Find and select the app you created (e.g., "Lumonic SSO").
Navigate to Manage > Properties.
Set Visible to users? to Yes to allow users to see the app in their "My Apps" portal.
To control who can access it rather than just access to the Active Directory:
Set Assignment required? to Yes (recommended). This ensures only specific users or groups can access the application.
Click Save.
If you set Assignment required? to Yes, navigate to Manage > Users and groups to assign the users and/or groups who should have access to Lumonic.
