Before you get started
SSO (Single Sign-On) allows you to connect to one or more web environments, such as Lucca, with a single login known only to your employees.
This simplifies and secures access to Lucca solutions. SSO is based on a contract of trust between Lucca and servers (Identity Providers).
Specifically, the site or service the user is trying to connect to makes a request to the identity provider's server or your site. It queries whether the user is logged in. If so, it passes on the information. Depending on the protocol used, the two sites exchange keys, signatures, etc. which allows you to verify and confirm the identity of your employees at the click of a button.
Vocabulary help:
- SSO = Single Sign-On
- Identity provider: server providing user identities, the central point of authentication, a tool that belongs to the client.
- Lucca service provider = In our case, the Lucca application provides an HRIS service.
- SAML2 = this is the protocol used to exchange the security token between the identity provider and the Lucca Service Provider.
- Metadata = metadata used to configure the Lucca service provider and the identity provider (public certificate, key, address, etc.). They must exchange this metadata to identify and trust each other, and it contains certificates. This can be an xml file to upload to the server, or a url.
Protocols supported by Lucca
Here is the list of protocols supported by Lucca: SAML 2.0, OAuth 2.0, CAS.
If you need more information on each of these protocols, please refer to our Advanced Settings section.
Which protocol to choose: OAuth or SAML 2.0?
We have no recommendation between the two in terms of security.
Step 1: Setting up your SSO
Requirements
Technical expertise is required to implement this functionality. Please contact your technical manager or service provider to take the next steps.
Enter your identity provider
As administrator of your Lucca environment, you can use the cogwheel to access a module for administering your connection methods: Authentication settings
By default, your authentication method is a login/password connection.
Use the "+" button in Authentication methods to select the protocol and identity provider of your choice.
A configuration interface will then appear, where, step by step, you can enter and manage the information required to enable Lucca and your supplier to interact with each other.
The rest of the set-up process depends on what you choose from this list:
- SSO Google (OAuth 2.0)
- SSO Google (SAML 2)
- SSO Microsoft ADFS - Active Directory Federation Services (SAML 2)
- SSO Azure Active Directory (OAuth 2.0)
- SSO Azure Active Directory (SAML 2.0)
- SSO Okta (SAML 2)
- SSO protocol SAML 2.0
- SSO Protocol CAS
Step 2: Customize your connection options
Advanced options are available to customize the employee login experience:
- The magic link
Your employees will be able to connect to mobile apps and their Lucca environment using only their email address, without having to enter their password, identifier or login.
This type of connection can be useful if your employees use personal computer equipment, or if they work remotely.
- Connection codes for mobile apps
Depending on the applications you have subscribed to, your employees can use a mobile app. They can connect via a magic link or a code.
Every user of a Lucca environment has access to a My Account interface, which enables them to generate a connection code for mobile apps.
We therefore recommend that you activate this option, to make it easier for your employees to connect.
- URL redirection
If you want to customize the welcome or logout page for your employees when they access their Lucca environment, this is where you can specify the redirections.
- Login via SSO
SSO does not apply to all mobile apps (yet!) Timmi Absences and Cleemy Expenses mobile apps support SSO login.
Login tracking
Once SSO is implemented, you can track failed connections over a chosen period. You will be able to identify Lucca's unrecognized employees and react effectively.