Azure AD SAML Configuration for LightBeam

Configure Https for LightBeam endpoint before Azure AD SAML Configuration.

Azure AD Configuration

1. Navigate to the Azure portal.

2. Locate 'Enterprise applications' and select 'New Application'.

3. Choose 'Create your own application' and name it appropriately.

1. In the global search bar, type 'App registrations' and find your application by name.

1. Select your application and click on 'Application ID URI'.

1. Click on 'Add'.

5. Enter the Application ID URI. Click on 'Save'.

1. Click on 'Overview' in the left navigation menu. Click on 'Endpoints'.

2. Copy the URL from the 'Federation metadata document'.

1. Overview -> Managed application in the local directory (Click on app name)

2. Next, we need to configure SAML and Assign users and groups.

Setup Single sign-on:

• To configure SAML settings, click on Set up single sign on.

• Click on SAML.

• To configure basic SAML settings, select 'Edit' which will open a configuration window.

• Identifier (Entity ID): <LIGHTBEAM_ENDPOINT>/auth/realms/master

• Reply URL: <LIGHTBEAM_ENDPOINT>/auth/realms/master/broker/AzureAD/endpoint

Click on Save.

• Now click on the Edit button to update user Attributes and Claims.

• Click on Add a group claim.

• After making the necessary changes, click 'Save'. The configured attributes and claims will then be displayed.

Add users and groups

• Assign the necessary users and groups in Azure AD for integration.

• Use the search functionality to find specific users or groups you want to assign. Select the users you want to integrate with the SAML application.

• Assign the necessary roles and permissions for each user.

• Add new users or groups as needed.

• Ensure that each user or group has the appropriate level of access for the integration.

With the above steps Azure AD SAML configuration is done.

Configure Auth Provider

• Now, the next step is to log in to LightBeam UI using admin user credentials and configure the Auth Provider.

• Before Azure AD configuration, the login page looks like this:

• Once the login is successful, click on the settings option from the top right (⚙️) gearbox.

• Click on Auth Provider.

• Select AzureAD from the drop-down list.

• Select protocol as SAML

• Provide the metadata URL copied above and click on Save.

• After a successful Save message, click on Logout from the top right user profile icon.

• On the login page, Azure AD option should now be visible.

Setting up default role

- Log in to Keycloak.

- Click on Roles.

- Click on Default Roles.

- In Client Roles, select LightBeam.

- Select lb-reader role from Available Roles and click on Add selected.

- With this default role for every user is set to lb-reader.

Configure Keycloak Mappers - Mappers

• Log into your Keycloak instance and navigate to the 'Identity Providers' section.

• Select 'AzureAD' from the list of identity providers, which will open a new page offering two tabs: 'Settings' and 'Mappers'.

It will open another page where we have 2 options Settings and Mappers.

We need to configure the following 4 different mappers

Scroll to the top of the page and click on 'Mappers', located next to the 'Settings' tab. Here, you'll create mappings for various user attributes.

• Username Mapper:

  • For this Mapper, the Mapper Type will be “Username Template Importer” from the drop-down menu

  • The template will be ${ATTRIBUTE.http://schemas/xmlsoap.org/ws/2005/05/identity/claims/name}

• Firstname Mapper:

  • For this Mapper, the Mapper Type will be “Attribute Importer” from the drop-down menu.

  • The Attribute Name will be the AD schema http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

  • The User Attribute Name will be “firstName”.

  
• Lastname Mapper:

  • For this Mapper, the Mapper Type will be “Attribute Importer” from the drop-down menu.

  • The Attribute Name will be the AD schema http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

  • The User Attribute Name will be “lastName”.

  
• Email mapper:

  • For this Mapper, the Mapper Type will be “Attribute Importer” from the drop-down menu.

  • The Attribute Name will be the AD schema http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

  • The User Attribute Name will be “email”.

  

Once all the mappers are configured it looks like the following:

Sign-in with AzureAD SSO from LightBeam login page.

Once you click on the Sign in with Azure AD option from the login page, it redirects to Microsoft and asks to select the user and provide credentials.

Once you have successfully logged in, the LightBeam Dashboard will be displayed. On the User Management screen, you will find a list of users along with their respective roles. By default, when a user is onboarded from Azure AD to the LightBeam system, they are assigned the "View Only" role. However, an admin can modify the "View Only" role to any other available role within the system.

As Azure AD users begin to log in to the LightBeam app, all the successfully logged-in users will be listed on the user management page.

Updating LightBeam in myapps.microsoft.com Portal

About LightBeam

LightBeam automates Privacy, Security, and AI Governance, so businesses can accelerate their growth in new markets. Leveraging generative AI, LightBeam has rapidly gained customers’ trust by pioneering a unique privacy-centric and automation-first approach to security. Unlike siloed solutions, LightBeam ties together sensitive data cataloging, control, and compliance across structured and unstructured data applications providing 360-visibility, redaction, self-service DSRs, and automated ROPA reporting ensuring ultimate protection against ransomware and accidental exposures while meeting data privacy obligations efficiently. LightBeam is on a mission to create a secure privacy-first world helping customers automate compliance against a patchwork of existing and emerging regulations.

For any questions or suggestions, please get in touch with us at: [email protected].