Configure single sign-on (SSO) for Azure AD

Before you can configure SSO for Azure AD in Incident Response you need to obtain the right credentials.

Before you begin

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.

Role required: admin


  1. Sign in to Azure portal.
  2. In the left pane, select the Azure Active Directory service.
  3. Go to Enterprise Applications.
  4. Select All Applications.
    If an application already exists for our Lightstep Incident Response account, click on that application and skip to Step 8.
  5. To add a new application, select New application.
  6. In the Browse Azure AD Gallery page click on Create your own application.
  7. On the Create application page, provide a descriptive name for your application.
  8. Select the What are you looking to do with your application? > Integrate any other applications you dont' find in the gallery (Non-gallery) option.
  9. Click Create.
    The application is created.
  10. Go to the Application Integration page.
  11. Find the Manage section.
  12. Select Single sign-on.
  13. On the Select a single sign-on method page, select SAML.
  14. On the Setup Single Sign-On with SAML page, select the icon for Basic SAML Configuration section.
  15. In the Basic SAML Configuration section:
    1. Under Identifier (EntryID) click on Add identifier.
    2. In the text box, enter the URL for our Lightstep Incident Response account. (https://<your subdomain>
    3. Click Save.
  16. In the SAML Signing Certificate section, download Certificate (Base64) using the PEM format.
  17. Make a note of your Azure AD Identifier and Login URL.
  18. Optional: Note the logout request endpoint URL from your provider to use for the IdP Logout URL field, if you are enabling Single Sign Out.
  19. Logout.
  20. Log in to Incident Response.
  21. On the navigation pane, select Admin.
  22. On the Single Sign-on, OAuth Identity form, select Set up and manage SSO.
    Note: Only one authentication feature can be enabled at a time.
    Generic SSO configuration form
  23. Select Edit.
  24. Fill in the SSO fields with the information you noted from your provider.
    Field Description
    IdP Issuer URI/Entity ID Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IdP EntityDescriptor.
    IdP Login URL The binding-specific IDP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages from Incident Response.
    IdP Logout URL [Hidden] Visible when Single Sign Out is enabled. This is the logout request endpoint URL for your IdP.
    IdP Signature Certificate
    The PEM encoded public key certificate of the Identity Provider used to verify SAML message and assertion signatures.
    Note: Be sure to include the BEGIN header and END footer with dashes.

    A certificate expiration date is generated after successfully adding the certificate. Placeholder alt text for cert-expiration-date

  25. Optional: Enabled by default. Force password authentication enforces password-based to authentication. Disabling it lets your IdP choose an appropriate authentication method such as MFA or Security key.
  26. Optional: To activate single sign out, select the Enable Single Sign Out toggle switch.
    When enabled it completes the user IdP logout. Otherwise, their logout is only from Incident Response.
  27. Select Save.
    Figure 1. Configured SSO form example
    Completed SSO configuration form
  28. Use the Test connection button to make sure your configuration works.

    Test connection creates a popup with your results.

    When the test succeeds, you can select Activate to enable SSO.

    If the test failed, follow the instructions in the popup and select Close to continue editing.

    Once you have successfully tested your configuration and activated, you're done. Your SSO configuration is enabled.
    Note: To disable the configuration, use the Enable Single Sign In toggle switch back to the off position.

What to do next

See Sign in to Incident Response using Single Sign-on, OAuth, or multi-factor authentication.