Okta SSO (SAML 2)

Backgound information

Here are the steps to follow to set up a single sign-on authentication between your Okta service and LUCCA solutions (SAML 2.0 protocol).

Step 1: Create your settings in Lucca

This task will have to be performed by an administrator or any user with access to the authentication module.

1. Activate the Google SAML 2.0 method of authentication.

2. Retrieve your connection and response URL, as well as your Lucca ID, which can be found in the "Lucca service provider information" section.

Step 2: Create the SAML 2.0 application in Okta

1. in the OKTA admin interface, please select "Applications",

2. Click "Add Application", then "Create New Application",

3. Next to "Platform", please select "Web" et and choose "SAML 2.0" as your sign on method:

Step 3: General settings

1. On the "General Settings" page, please fill in "Lucca" in the "Application Name" field.

2. Check the box: "Do not display application icon in the Okta Mobile application".

Step 4: SAML 2.0 configuration

1. "SAML Settings" page

Please fill in the follwing fields with the information provided to you by Lucca:

Single sign on URL (Response URL)
Audience URI (SP Entity ID)

In the "Application userName" field, please fill in "Email".

2. "Feedback" page

Fill the URL https://support.lucca.fr/hc/fr/articles/360022954532-SSO-protocole-SAML-2-0 in the following field: "Which app pages did you consult to configure SAML?"
Enter "I'm an Okta customer adding an internal app"
Tick in "It's request to contact the vender to enable SAML" :

3. Confirmation page

Click "Identity Provider metadata"
Send the corresponding URL to the page that will open up, using the following format: https://xxxx.okta.com/app/exk56ocxeX9l6YujF4x6/sso/saml/metadata

Step 5: Lucca configuration

This task will have to be performed by an administrator.

Once the configuration has been performed in your Okta management interface, please go back to the Lucca authentication settings to fill in the following information:

the metadata corresponding to your Okta service
the LUCCA field matching the AD attribute sent in the token (step4 _1.): email address

Please consider using a public URL for metadata access, which is generally in the following format:

https://xxxx.okta.com/app/exk56ocxeX9l6YujF4x6/sso/saml/metadata

Should your certificate need to be renewed, the authentication service will stay up to date.

Once this information has been filled in and saved, you will be able to activate the SSO connection whenever you like.

After the SSO connection has ben activated, you will be able to deactivate the option to reach the manual login page, using their login ID and individual password. To do so, just deactivate the Lucca login / password connection button.