Registering Lucanet as an App in MS Entra ID Using the OIDC Method
Last updated on 2025-02-18
Overview
If you use Microsoft Entra ID as an identity provider and choose the OIDC method for external authentication of the Lucanet CFO Solution Platform, you must first register Lucanet as an app in Microsoft Entra ID.
After successful registration and configuration, you can copy the authentication parameters in Microsoft Entra ID and paste them into the Lucanet CFO Solution Platform to complete the configuration of the external authentication.
This article contains the following sections:
Creating an App Registration for Lucanet in MS Entra ID
To create an app registration for Lucanet at the MS Entra admin center:
- Open the Microsoft Entra admin center at https://entra.microsoft.com.
- Go to Applications | App registrations.
'App registrations' workspace at the Microsoft Entra admin center - Click New registration.
Button used to register a new app
The page Register an application is displayed. - Enter the display name of the app in the field under Name.
Entering the display name of the app - Choose the option Accounts in this organizational directory only (<Your enterprise> only - Single tenant) under Supported account types.
Selecting the supported account type - Copy the URI under Sign-In Redirect URL(s) in the External authentication workspace on the Lucanet CFO Solution Platform.
Copying the redirect URL from the Lucanet CFO Solution Platform
If necessary, choose the URI from the Web drop-down list in the Redirect URI (optional) area and enter it in the field behind Web in MS Entra ID.
Configuration of the redirect URI - Click Register.
Completing the app registration
Configuring Lucanet in MS Entra ID
Go to the newly created app registration and perform the following steps to configure Lucanet as an app in MS Entra ID:
Activate the ID tokens for the app registration. Proceed as follows:
- Navigate to Manage | Authentication.
'Authentication' workspace on the navigation bar - Activate the ID tokens (used for implicit and hybrid flows) check box in the Implicit grant and hybrid flows area.
Activating 'ID tokens'
- Navigate to Manage | Certificates & secrets.
'Certificates & secrets' workspace on the navigation bar - Click the button
on the Client secrets tab: - Enter a name or description for the secret in the Description field in the Add a client secret area and, if necessary, choose a validity period for the secret from the Expires drop-down list:
Settings in the 'Add a client secret' area - Click Add. A client secret is generated, which is displayed in the Value column on the Client secrets tab:
Copying a client secret from MS Entra ID
You can configure optional claims for Lucanet as an app in MS Entra ID. Proceed as follows:
- Navigate to Manage | Token configuration.
'Token configuration' workspace on the navigation bar - Click the button
. - Choose the ID token type and activate the email check box in the Claim column.
Setting for the 'ID' token type - Choose the Access token type and activate the email check box in the Claim column.
Setting for the 'Access' token type - Click Save. The optional claims are added and displayed, for example, as follows:
Optional claims configured
Set up the API permissions. Proceed as follows:
- Navigate to Management | API Permissions.
'API permissions' workspace on the navigation bar - Click the button
in the Configured permissions area. - Click Microsoft Graph on the Microsoft APIs tab.
'Microsoft Graph' on the 'Microsoft APIs' tab - Click Delegated permissions.
'Delegated permissions' option - Activate the email and openid check boxes in the OpenId permissions area.
Settings in the 'OpenId permissions' area - Click Add permissions.
- Click Grant Admin consent for <your enterprise> in the Configured permissions area.
Button used to grant admin consent - Click Yes in the displayed dialog Grant admin consent confirmation.
- The set-up permissions are displayed, for example, as follows:
API permissions in MS Entra ID
You can find additional information on how to configure the app registration in MS Entra ID in the documentation from Microsoft.
Authentication Parameters for the Lucanet CFO Solution Platform
You can find the parameters required to configure the external authentication on the Lucanet CFO Solution Platform as follows at the Entra ID Admin Center:
Option
Description
Client ID
You can find the Client ID behind Application (client) ID in the Essentials area on the Overview page:
Copying the client ID from MS Entra ID
Client secret
You can find the client secret in the Value column on the Client secrets tab on the Manage | Certificates & secrets page:
Copying a client secret from MS Entra ID
You can find more information on how to create a client secret in Creating a Client Secret.
Issuer URL
The issuer URL has the following notation:
https://sts.windows.net/<Your tenant ID in MS Entra ID>
You can find your tenant ID in the second half of the displayed URL under Authority URL in the Endpoints area on the Overview page:
'Endpoints' area on the 'Overview' page in MS Entra ID
Examples:
If your tenant ID is 123bfsd-as34-sd34-34fg-f35gh67h8, the issuer URL will be https://sts.windows.net/123bfsd-as34-sd34-34fg-f35gh67h8.
You can find additional information on how to use the parameters when configuring the external authentication for the Lucanet CFO Solution Platform with the OIDC method in the section Configuring OIDC in Configuring External Authentication.
Attention: The e-mail address of a user on the Lucanet CFO Solution Platform must be identical to the e-mail address in MS Entra ID. The upper and lower case of e-mail addresses must match exactly.