Microsoft Azure AD Single Sign on with XLCubed Web

Published on
June 11, 2019

We’ve previously shown how to setup Single sign on for Okta, and with V9.2.41 we have added support for Azure Active Directory. This includes using the “Application Roles” feature to control which Analysis Services role to use for each user/group.

Here’s an overview of the process:

The first step is to register a new Application in your Azure portal – search for “App registrations”:

You can choose anything for the name and account types. Just create an entry for the redirect URI as:


Where “server” is the XLCubedWeb server address that the users would enter into the browser/excel for publishing.

You next need to get the metadata xml file to import into XLCubed. This is a general file that is specific for your Azure Domain and not application specific. To get the file click on “Endpoints” and open the URL given under “Federation metadata document”:

Download and save the XML from that link and use the XLCubedWeb Config Application authentication settings as “Custom Provider” and import the XML, ensuring that “Postback” is selected:

The next step is to give XLCubed the information it needs to use the application registration you’ve just created. To do that you need the “Application (client) ID” from the Application settings:

Add that to the XLCubed Web.config file with the setting “AuthOverrideEntityId“:

At this point anyone accessing XLCubedWeb will be taken to the appropriate Azure authentication page, but we have not yet provided a link between their group membership and the roles within XLCubed. To do this you first need to allow group membership to be passed via the App Registration. The first step is to go to “Manifest” and set “groupMembershipClaims” to “All”:

Now you just need to create the link between the Azure Groups and the XLCubed roles. To do this find the group in the Azure Active Directory and copy the “Object ID”:

Now, for the desired role click “Add Azure AD Group” and paste the Object ID and a description for future reference.

The following step allows you to define which Analysis Services roles to use for the users connection. You first define the application roles by editing the Manifest again.

A user or group (if using Azure enterprise features) can only have one application role. For every combination of cube roles you must create an entry in appRoles. The “value” can be a comma-delimited list of all the cube roles to use:

You can now go to the user settings for the application endpoint and configure which application role to use. This will then automatically handle the cube security for each user.

To do this go to the App Registration settings and click on the “Managed application” link:

This takes you to an overview of the usage and also gives the option to manage the users for the app:

Now for each set of users you can assign application roles that you defined earlier:

Gary Crawford
COO, XLCubed
Fluence Technologies

Connect with Fluence

Discover how Fluence can help your organization plan better and close faster with more confidence.