home

Mobile Endpoint Security

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Mobile Endpoint Security

Lookout Single Sign-On With Azure Active Directory

Setting Up Azure Active Directory

  1. Log in to the Azure Management Portal as a Global Administrator user.
  2. In the left pane, click Azure Active Directory.
  3. In the Azure Active Directory blade, under Manage, click Enterprise applications.
  4. Click + New application.
  5. Under Add an application: Add your own app, select Non-gallery application:


  6. In the Name field, enter lookout_saml and click Add.
  7. Click Configure single sign-on (required):


  8. On the Single Sign-on Mode page, click SAML.
  9. On the 1. Basic SAML Configuration tile, click the edit icon in the top-right corner and enter the following:
    FieldValue
    Identifier (Entity ID)Provided by Lookout. The /metadata URL for your Lookout tenant.
    Reply URLThe same URL as above, but ending in /acs instead of /metadata.
  10. On the 2. User Attributes and Claims tile, click the edit icon in the top-right corner.
  11. Delete all existing claims by clicking the icon on the far right of the row and clicking Delete:


  12. On the Groups returned in claim: line, click the edit icon on the far right.
  13. Set the following:


    FieldValue
    Which groups associated with the user should be returned in the claimSecurity groups
    Source attributesAMAccountName
    Customize the name of the group claim(Checked)
    Name (required) 
    memberOf
  14. Click Save.
  15. Create the attributes below by clicking + Add new claim and setting the specified Name, Source, and Source attribute:
    NameSourceSource attributeDescription
    givenname
    		Attributeuser.givennameThe user's first name.
    sn
    		Attributeuser.surnameThe user's last name.
    mail
    		Attributeuser.mailThe user's email.
    upn
    		Attributeuser.mailThe user's principal name in Active Directory.

    Leave the Namespace field blank, then click Save.

  16. Create an ent attribute by typing the Source attribute value rather than selecting it from the dropdown:
    NameSourceSource attributeDescription
    entAttribute

    Example:

    " 78902dc0-b8ab-4abc-12c7-4a2b980ec23a"

    		Your Lookout enterprise tenant GUID, provided by Lookout
  17. Click Save.
  18. In the left pane, click Azure Active Directory.
  19. In the Azure Active Directory blade, under Manage, click App registrations.
  20. Switch to All applications view and search for the lookout_saml app that you just created:


  21. Under Manage, click Manifest.
  22. Using the included User application role as a template, create entries for Full Access, Restricted Access, and Read-Only administrators by changing the description, displayName, and id for each role:
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Lookout MES Console full access admin",
            "displayName": "cld.azu.lookoutconsole.fullaccess",
            "id": "18d14569-c3bd-439b-9a66-3a2aee01d14f",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": null
        },
        {
            ...
            "description": "Lookout MES Console restricted access admin",
            "displayName": "cld.azu.lookoutconsole.restricted",
            "id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
            ...
        },
            {
            ...
            "description": "Lookout MES Console read-only",
            "displayName": "cld.azu.lookoutconsole.readonly",
            "id": "b9632174-c057-4f7e-951b-be3adc52bfe6",
            ...
        },
  23. Click Save.
    You may need to wait a few minutes for AAD to apply the new roles to the application.
  24. In the left pane, click Azure Active Directory.
  25. In the Azure Active Directory blade, under Manage, click Enterprise applications and select the lookout_saml app.
  26. In the Enterprise Application blade, under Manage, click Users and groups.
  27. Click +Add user to assign users or groups to the application so that they can use SSO.
  28. Select users and groups and assign them to the application roles you created in Step 22 to control their access to the Lookout MES Console:


  29. Click Assign.

Last updated: November 20, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.