Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure

Getting Started

Global Functions

Administration

User Management

Managing the CFO Solution Platform

Managing Lucanet Licenses

Configuring External Authentication

Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure

Configuring Lucanet SAML Single Sign-On with Microsoft Entra ID/Azure

Configuring Customizations

Generating and Downloading SEA Certificates

Extended Planning & Analysis (xP&A)

Consolidation & Financial Planning

ESG Reporting

Disclosure Management

XBRL Tagger

Lease Accounting

Banking & Cash Management

Data Collection

Tax Compliance & Reporting

Glossary

If you use Microsoft Entra ID as your identity provider and choose the OIDC method for external authentication of the Lucanet CFO Solution Platform, you must first register Lucanet as an app in Microsoft Entra ID.

After successful registration and configuration, you can copy the authentication parameters in Microsoft Entra ID and paste them into the Lucanet CFO Solution Platform to complete the configuration of the external authentication.

To create an app registration for Lucanet at the MS Entra admin center:

Open the Microsoft Entra admin center at https://entra.microsoft.com.

Go to Applications | App registrations.

'App registrations' workspace at the Microsoft Entra admin center

Click New registration.

The page Register an application is displayed.

Enter the display name of the app in the field under Name.

Choose the option Accounts in this organizational directory only ( <Your enterprise> only - Single tenant) under Supported account types.

Copy the URI under Sign-In Redirect URL(s) in the External authentication workspace on the Lucanet CFO Solution Platform.

Copying the redirect URL from the Lucanet CFO Solution Platform

If necessary, choose the URI from the Web drop-down list in the Redirect URI (optional) area and enter it in the field behind Web in MS Entra ID.

Click Register.

Go to the newly created app registration and perform the following steps to configure Lucanet as an app in MS Entra ID:

Activate the ID tokens for the app registration. Proceed as follows:

Navigate to Manage | Authentication.

'Authentication' workspace on the navigation bar

Activate the ID tokens (used for implicit and hybrid flows) check box in the Implicit grant and hybrid flows area.

Create a client secret for Lucanet. Proceed as follows:

Navigate to Manage | Certificates & secrets.

'Certificates & secrets' workspace on the navigation bar

Click the button on the Client secrets tab:

Enter a name or description for the secret in the Description field in the Add a client secret area and, if necessary, choose a validity period for the secret from the Expires drop-down list:

Settings in the 'Add a client secret' area

Click Add. A client secret is generated, which is displayed in the Value column on the Client secrets tab:

Copying a client secret from MS Entra ID

Paste the value in the Client secret field in Lucanet CFO Solution Platform.

You can configure optional claims for Lucanet as an app in MS Entra ID. Proceed as follows:

Navigate to Manage | Token configuration.

'Token configuration' workspace on the navigation bar

Click the button .

Choose the ID token type and activate the email check box in the Claim column.

Choose the Access token type and activate the email check box in the Claim column.

Click Save. The optional claims are added and displayed, for example, as follows:

Set up the API permissions. Proceed as follows:

Navigate to Management | API Permissions.

'API permissions' workspace on the navigation bar

Click the button in the Configured permissions area.

Click Microsoft Graph on the Microsoft APIs tab.

Click Delegated permissions.

Activate the email and openid check boxes in the OpenId permissions area.

Settings in the 'OpenId permissions' area

Click Add permissions.

Click Grant Admin consent for <your enterprise> in the Configured permissions area.

Click Yes in the displayed dialog Grant admin consent confirmation.

The set-up permissions are displayed, for example, as follows:

You can find additional information on how to configure the app registration in MS Entra ID in the documentation from Microsoft.

After configuring the enterprise application and Single Sign-On in Azure/Microsoft Entra ID, you need to retrieve specific authentication parameters and add them to the Lucanet CFO Solution Platform to complete the external authentication setup.

Get the Client ID from Azure Portal/Microsoft Entra ID:

You can find the Client ID behind Application (client) ID in the Essentials area on the Overview page:

Displays the 'Overview' section in Azure — 'Overview' section in Azure

Displays the 'Essentials' area in MS Entra ID. The value behind 'Application (client) ID' is copied. — Copying the client ID from MS Entra ID

Paste the Client ID in the Client ID field in the Lucanet CFO Solution Platform.

Displays the 'Client ID' field in Lucanet — 'Client ID' field in Lucanet

Paste the Client secret value in the Client secret field in the Lucanet CFO Solution Platform, if not already configured in previous steps (see Creating a Client Secret).

Get the Issuer URL from Azure Portal/Entra ID Admin Center:

In the App registrations, select your application. On the Overview page, click Endpoints.

In the Endpoints panel, copy the tenant ID from the Authority URL (Accounts in this organizational directory only) field. Use the part highlighted in the red box in the screenshot example below (the tenant ID after https://login.microsoftonline.com/).

The Issuer URL has the following notation:

https://sts.windows.net/< Your tenant ID in MS Entra ID >

Example:

If your tenant ID is 123bfsd-as34-sd34-34fg-f35gh67h8, the issuer URL will be https://sts.windows.net/123bfsd-as34-sd34-34fg-f35gh67h8.

Displays the 'Endpoints' area on the 'Overview' page in MS Entra ID. — 'Endpoints' area on the 'Overview' page in MS Entra ID

In the App registrations, select your application. On the Overview page, click Endpoints.

The Issuer URL has the following notation:

https://sts.windows.net/< Your tenant ID in MS Entra ID >

Example:

If your tenant ID is 123bfsd-as34-sd34-34fg-f35gh67h8, the issuer URL will be https://sts.windows.net/123bfsd-as34-sd34-34fg-f35gh67h8.

Add the Issuer URL in the Issuer URL field in the Lucanet CFO Solution Platform.

Displays the 'Issuer URL' field in Lucanet — 'Issuer URL' field in Lucanet

Attention: The e-mail address of a user on the Lucanet CFO Solution Platform must be identical to the e-mail address in Azure/MS Entra ID. The upper and lower case of e-mail addresses must match exactly.

You can find additional information on how to use the parameters when configuring the external authentication for the Lucanet CFO Solution Platform with the OIDC method in the section Configuring OIDC in Configuring External Authentication.

If your User principal name and your e-mail address in Azure/MS Entra ID are different, the OIDC configuration will not work as described on this page. Please choose SAML as the authentication method instead.