--- title: "Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure" source_url: https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication/entra-id-registration-OIDC language: en last_updated: 2023-08-16 --- # Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure ## Overview If you use **Microsoft Entra ID** as your identity provider and choose the **OIDC** method for **external authentication** of the Lucanet CFO Solution Platform, you must first register Lucanet as an app in Microsoft Entra ID. After successful registration and configuration, you can copy the authentication parameters in Microsoft Entra ID and paste them into the Lucanet CFO Solution Platform to complete the configuration of the external authentication. ## Creating an App Registration for Lucanet in MS Entra ID To create an app registration for Lucanet at the MS Entra admin center: {% stepper %} {% stepper-step %} Open the Microsoft Entra admin center at [https://entra.microsoft.com](https://entra.microsoft.com). {% /stepper-step %} {% stepper-step %} Go to **Applications | App registrations**. 'App registrations' workspace at the Microsoft Entra admin center {% /stepper-step %} {% stepper-step %} Click **New registration**. Button used to register a new app The page **Register an application** is displayed. {% /stepper-step %} {% stepper-step %} Enter the display name of the app in the field under **Name**. Entering the display name of the app {% /stepper-step %} {% stepper-step %} Choose the option **Accounts in this organizational directory only (** __ **only - Single tenant)** under **Supported account types**. Selecting the supported account type {% /stepper-step %} {% stepper-step %} Copy the URI under **Sign-In Redirect URL(s)** in the **External authentication** workspace on the Lucanet CFO Solution Platform. Copying the redirect URL from the Lucanet CFO Solution Platform If necessary, choose the URI from the **Web** drop-down list in the **Redirect URI (optional)** area and enter it in the field behind **Web** in MS Entra ID. Configuration of the redirect URI {% /stepper-step %} {% stepper-step %} Click **Register**. Completing the app registration {% /stepper-step %} {% /stepper %} ## Configuring Lucanet in MS Entra ID Go to the newly created app registration and perform the following steps to configure Lucanet as an app in MS Entra ID: ### Activating ID Tokens Activate the **ID tokens** for the app registration. Proceed as follows: {% stepper %} {% stepper-step %} Navigate to **Manage | Authentication**. 'Authentication' workspace on the navigation bar {% /stepper-step %} {% stepper-step %} Activate the **ID tokens (used for implicit and hybrid flows)** check box in the **Implicit grant and hybrid flows** area. Activating 'ID tokens' {% /stepper-step %} {% /stepper %} ### Creating a Client Secret Create a **client secret** for Lucanet. Proceed as follows: {% stepper %} {% stepper-step %} Navigate to **Manage | Certificates & secrets**. 'Certificates & secrets' workspace on the navigation bar {% /stepper-step %} {% stepper-step %} Click the button on the **Client secrets** tab: {% /stepper-step %} {% stepper-step %} Enter a name or description for the secret in the **Description** field in the **Add a client secret** area and, if necessary, choose a validity period for the secret from the **Expires** drop-down list: Settings in the 'Add a client secret' area {% /stepper-step %} {% stepper-step %} Click **Add**. A client secret is generated, which is displayed in the **Value** column on the **Client secrets** tab: Copying a client secret from MS Entra ID {% /stepper-step %} {% stepper-step %} Paste the value in the **Client secret** field in Lucanet CFO Solution Platform. 'Client secret' field in Lucanet {% /stepper-step %} {% /stepper %} ### Configuring Optional Claims You can configure optional claims for Lucanet as an app in MS Entra ID. Proceed as follows: {% stepper %} {% stepper-step %} Navigate to **Manage | Token configuration**. 'Token configuration' workspace on the navigation bar {% /stepper-step %} {% stepper-step %} Click the button . {% /stepper-step %} {% stepper-step %} Choose the **ID** token type and activate the **email** check box in the **Claim** column. Setting for the 'ID' token type {% /stepper-step %} {% stepper-step %} Choose the **Access** token type and activate the **email** check box in the **Claim** column. Setting for the 'Access' token type {% /stepper-step %} {% stepper-step %} Click **Save**. The optional claims are added and displayed, for example, as follows: Optional claims configured {% /stepper-step %} {% /stepper %} ### Setting Up API Permissions Set up the API permissions. Proceed as follows: {% stepper %} {% stepper-step %} Navigate to **Management | API Permissions**. 'API permissions' workspace on the navigation bar {% /stepper-step %} {% stepper-step %} Click the button in the **Configured permissions** area. {% /stepper-step %} {% stepper-step %} Click **Microsoft Graph** on the **Microsoft APIs** tab. 'Microsoft Graph' on the 'Microsoft APIs' tab {% /stepper-step %} {% stepper-step %} Click **Delegated permissions**. 'Delegated permissions' option {% /stepper-step %} {% stepper-step %} Activate the **email** and **openid** check boxes in the **OpenId permissions** area. Settings in the 'OpenId permissions' area {% /stepper-step %} {% stepper-step %} Click **Add permissions**. {% /stepper-step %} {% stepper-step %} Click **Grant Admin consent for __** in the **Configured permissions** area. Button used to grant admin consent {% /stepper-step %} {% stepper-step %} Click **Yes** in the displayed dialog **Grant admin consent confirmation**. {% /stepper-step %} {% stepper-step %} The set-up permissions are displayed, for example, as follows: API permissions in MS Entra ID {% /stepper-step %} {% /stepper %} {% info-box %} You can find additional information on how to configure the app registration in MS Entra ID in the [documentation from Microsoft](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app). {% /info-box %} ## Configuring Authentication Parameters for the Lucanet CFO Solution Platform After configuring the enterprise application and Single Sign-On in Azure/Microsoft Entra ID, you need to retrieve specific authentication parameters and add them to the Lucanet CFO Solution Platform to complete the external authentication setup. {% stepper %} {% stepper-step %} Get the **Client ID** from Azure Portal/Microsoft Entra ID: You can find the Client ID behind **Application (client) ID** in the **Essentials** area on the **Overview** page: 'Overview' section in Azure Copying the client ID from MS Entra ID {% /stepper-step %} {% stepper-step %} Paste the Client ID in the **Client ID** field in the Lucanet CFO Solution Platform. 'Client ID' field in Lucanet {% /stepper-step %} {% stepper-step %} Paste the Client secret value in the **Client secret** field in the Lucanet CFO Solution Platform, if not already configured in previous steps (see [Creating a Client Secret](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication/entra-id-registration-OIDC/.md#secret)). {% /stepper-step %} {% stepper-step %} Get the **Issuer URL** from Azure Portal/Entra ID Admin Center: In the **App registrations**, select your application. On the **Overview** page, click **Endpoints**. 'Overview' section in Azure 'Endpoints' button on the 'Overview' page In the **Endpoints** panel, copy the tenant ID from the **Authority URL (Accounts in this organizational directory only)** field. Use the part highlighted in the red box in the screenshot example below (the tenant ID after https://login.microsoftonline.com/). The Issuer URL has the following notation: **https://sts.windows.net**/< _Your tenant ID in MS Entra ID_ > Example: If your tenant ID is **123bfsd-as34-sd34-34fg-f35gh67h8**, the issuer URL will be **https://sts.windows.net/123bfsd-as34-sd34-34fg-f35gh67h8**. 'Endpoints' area on the 'Overview' page in MS Entra ID {% /stepper-step %} {% stepper-step %} In the **App registrations**, select your application. On the **Overview** page, click **Endpoints**. 'Overview' section in Azure 'Endpoints' button on the 'Overview' page {% /stepper-step %} {% stepper-step %} In the **Endpoints** panel, copy the tenant ID from the **Authority URL (Accounts in this organizational directory only)** field. Use the part highlighted in the red box in the screenshot example below (the tenant ID after https://login.microsoftonline.com/). The Issuer URL has the following notation: **https://sts.windows.net**/< _Your tenant ID in MS Entra ID_ > Example: If your tenant ID is **123bfsd-as34-sd34-34fg-f35gh67h8**, the issuer URL will be **https://sts.windows.net/123bfsd-as34-sd34-34fg-f35gh67h8**. 'Endpoints' area on the 'Overview' page in MS Entra ID {% /stepper-step %} {% stepper-step %} Add the Issuer URL in the **Issuer URL** field in the Lucanet CFO Solution Platform. 'Issuer URL' field in Lucanet {% /stepper-step %} {% /stepper %} {% warning-box %} **Attention**: The e-mail address of a user on the **Lucanet CFO Solution Platform** must be identical to the e-mail address in **Azure/MS Entra ID**. The upper and lower case of e-mail addresses must match exactly. {% /warning-box %} You can find additional information on how to use the parameters when configuring the external authentication for the Lucanet CFO Solution Platform with the OIDC method in the section [Configuring OIDC](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication.md#oidc) in **Configuring External Authentication**. {% warning-box %} If your **User principal name** and your **e-mail address** in Azure/MS Entra ID are different, the OIDC configuration will not work as described on this page. Please choose **SAML** as the authentication method instead. {% /warning-box %}