Microsoft Azure AD Single Sign on with XLCubed Web

Published on
June 11, 2019

We’ve previously shown how to setup Single sign on for Okta, and with V9.2.41 we have added support for Azure Active Directory. This includes using the “Application Roles” feature to control which Analysis Services role to use for each user/group.

Here’s an overview of the process:

XLCubeWeb Application Roles

Configuration Steps:

1. Register an Application in Azure AD

The first step is to register a new Application in your Azure portal – search for “App registrations”:

App registrations

You can choose anything for the name and account types. Just create an entry for the redirect URI as:


Where “server” is the XLCubedWeb server address that the users would enter into the browser/excel for publishing.

Server Registration

2. Import Azure AD Metadata

You next need to get the metadata xml file to import into XLCubed. This is a general file that is specific for your Azure Domain and not application specific. To get the file click on “Endpoints” and open the URL given under “Federation metadata document”:

App registration Endpoints
Endpoints authorization

3. Configure XLCubed Web.config

Download and save the XML from that link and use the XLCubedWeb Config Application authentication settings as “Custom Provider” and import the XML, ensuring that “Postback” is selected:

Authentication Provider Config

The next step is to give XLCubed the information it needs to use the application registration you’ve just created. To do that you need the “Application (client) ID” from the Application settings:

XLCubeWeb Application Client ID

Add that to the XLCubed Web.config file with the setting “AuthOverrideEntityId“:

XLCubed Web.config file

4. Enable Group Membership Claims

At this point anyone accessing XLCubedWeb will be taken to the appropriate Azure authentication page, but we have not yet provided a link between their group membership and the roles within XLCubed. To do this you first need to allow group membership to be passed via the App Registration. The first step is to go to “Manifest” and set “groupMembershipClaims” to “All”:

XLCubedWeb Azure authentication page

5. Link Azure AD Groups to XLCubed Roles

Now you just need to create the link between the Azure Groups and the XLCubed roles. To do this find the group in the Azure Active Directory and copy the “Object ID”:

XLCubedWeb Object ID

Now, for the desired role click “Add Azure AD Group” and paste the Object ID and a description for future reference.

Add Azure AD Group Role

6. Define Analysis Services Roles

The following step allows you to define which Analysis Services roles to use for the users connection. You first define the application roles by editing the Manifest again.

A user or group (if using Azure enterprise features) can only have one application role. For every combination of cube roles you must create an entry in appRoles. The “value” can be a comma-delimited list of all the cube roles to use:

appRoles entry

7. Assign Application Roles to Users

You can now go to the user settings for the application endpoint and configure which application role to use. This will then automatically handle the cube security for each user.

To do this go to the App Registration settings and click on the “Managed application” link:

App Registration settings

This takes you to an overview of the usage and also gives the option to manage the users for the app:

XLCubedWeb Auth Provider Overview

Now for each set of users you can assign application roles that you defined earlier:

User Test Role

Gary Crawford
COO, FluenceXL
Fluence Technologies

Connect with Fluence

Discover how Fluence can help your organization plan better and close faster with more confidence.