Skip to main content
All CollectionsIntegrations
Configuring SSO and Directory Syncing with Entra and Lookout
Configuring SSO and Directory Syncing with Entra and Lookout

Guide to setup directory sync and SSO integration between Lookout and Microsoft Entra.

Tate Johnson avatar
Written by Tate Johnson
Updated over 8 months ago

After completing these steps, you should have a working directory sync and SSO integration between Lookout and Microsoft Entra.

💬 SSO must be enabled by Lookout before these steps can be completed.
​
​Please contact your Lookout representative for more information about SOO.

Get in touch

For context, directory syncing is required for SSO to function. This is because the users must be synchronised with the correct IDs in Lookout to resolve them during login.

If you already have users in Lookout and are adding SSO, please see the How to prepare your Lookout instance for SSO?

Prepare your Lookout instance for SSO

We recommend doing an audit on the emails you are expecting to be able to SSO against the users you have already added to Lookout. This is to prevent Configuring SSO and Directory Syncing with Entra and Lookout Self serve - User created with wrong email which can be difficult to merge if a user starts using the erroneously created user.

You can get a report of the users from Entra by navigating to the group you are going to assign to the application clicking Members > Bulk Operations > Download Members

Create a report in Lookout with the data export category Profiles and export emails. You can also limit it to staffers and/or helpers.

Use a tool like Excel or Google Sheets to find any missing emails that don’t have matches.

Identify any emails that don’t match and update them in Lookout.

Configuring SSO and Directory Syncing

Entra: Create a new Enterprise Application in Entra

Create a new enterprise application in your organisation's Entra.

Create your own application and call it “Lookout”.

Click on Single Sign On and choose SAML.

❗ Copy the App Federation Metadata URL in the SAML certificate section
​

Lookout: Configure SSO integration in Lookout

Navigate to the Settings menu. Under the Developers section, there will be a link to Single sign-on.

Edit the configuration. The provider name should be the name of your IdP - e.g. Microsoft or Google. The Metadata URL you copied earlier goes in the provided metadata field. Click on “Save”.

Click on “Build SSO infrastructure” and wait for it to complete.

Once provisioning is complete, you will be provided:

  • Identifier (SAML audience)

  • Reply URL (SAML assertion URL)

  • Both certificates

  • Directory syncing URL

Generate a directory syncing secret

You must copy the directory syncing secret now as it won’t be shown again

Back in Entra: complete application configuration

Edit the “Basic SAML Configuration” and add the Identifier and Reply URL provided.

In the section Attributes & Claims, remove all attributes except Unique User Identifier. Add idp_user_id attribute and map it to user.objectid.

Configure Entra to verify SAML requests from Lookout.

  • Find “Verification certificates” and press the Edit button next to it

  • Enable “Require verification certificates”

  • Use the verification certificate that is provided in Lookout

Configure Entra to sign tokens issued for Lookout.

  • Navigate to Token encryption

  • Import the token encryption certificate provided in Lookout.

  • Activate the certificate

  • Navigate back to the Lookout enterprise application

  • Under SAML Certificates, change the Signing Option to “Sign SAML response and assertion”

Entra: configure provisioning

For SSO to work, the users must be “provisioned” (synced) from the IdP (Entra) to Lookout.

Enable provisioning in the Enterprise Application - Click ‘Get Started’.

Use automatic mode, and add the URL + token provided by Lookout. Test the connection to make sure it works.

Configure the provisioning user mapping so that externalId points to objectId.

Entra: assigning users

Users or groups must be “assigned” to the application before they will be provisioned. Alternatively, this can be done using groups.

Click Overview and click “Start provisioning”. This may take up to an hour to complete. Check for errors if it does not.

Provisioning in Entra should now be automatic. When users are added/removed/deactivated, they should mirror in Lookout. Check the provisioning overview for details.

Back in Lookout

Enable your SSO sign in:

Single Sign On should now work, if the user has been provisioned properly. Please be aware it may take up to 24 hours for certificates to be available if you receive errors regarding certificates.

FAQ

Certificate issues

If you cannot proceed to the Microsoft Login flow after configuring the certificates correctly, it means the signing certificate (SAML verification certificate) is incorrect.

If you cannot return to Lookout after completing the login with Microsoft, it means the encryption certificate (Token encryption) is incorrect.

Groups not syncing

Groups can only sync through automatic provisioning, allowing up to an hour for automatic provisioning to work. Group syncing doesn’t work well with provisioning on demand.

User created with wrong email

This can happen if a profile is created in Lookout with an email different from your identity provider's.

We recommend:

  1. Finding the erroneously created user in Lookout through the Profile search.

  2. Go to the profile and press Edit

  3. Scroll to the bottom and permanently delete the profile.

  4. Update the email of the user to be the same as in your IdP

  5. Manually provision the user. The user should now be linked correctly, and SSO will work for them.

Firing actions from SCIM events

There are two avenues to reacting to SCIM events.

  1. Use the provided helper and staffer creation based on SCIM groups

    1. good for installations without many rules and simple onboarding of staffers and helpers

    2. see Using simple role creation from SCIM group syncing for instructions

  2. Use webhooks and the Workato integration

    1. better for complex onboarding eg. create a ticket and assign users to complete onboarding flows

Using simple role creation from SCIM group syncing

  1. Navigate to the Settings menu. Under the Developers section, there will be a link for “SCIM” (System for Cross-domain Identity Management)

  2. Clicking on this will reveal groups already synchronised from your IdP. If you don’t see the groups you are expecting, make sure:

    1. Group syncing is enabled in your Integration

    2. The group has been added to the Lookout Entra application.

    3. Provisioning has been set to automatic. Group syncing can have problems if you are manually provisioning the group. Usually, only the automatic provisioning is capable of syncing groups properly. You may have to wait up to 24 hours for the next automatic provisioning.

  3. Once the group appears you may choose which roles you want to create for users that are part of the group.

  4. To backfill users you can use the “Compare” button to see roles that are missing or should be removed. Use the “Apply settings” button to create roles that are missing. Roles are never removed based on group settings but they will be present in the “Compare” table and you can use the links provided in the table to remove them if you wish.

Turn off syncing

Disabling SSO does not turn off SCIM syncing. To prevent syncing, rotate the SCIM credential by pressing “Regenerate secret”. The SCIM credential will need to be updated once you are ready to start syncing again.

Did this answer your question?