Before you get started
This page handles the most frequently asked questions about SSO.
To be able to answer them, you will need, in most cases, administrator rights on Lucca as well as SSO administration rights (permission: Manage authentication and SSO).
If you don't yet have an SSO to connect to Lucca and would like to add one, here's the dedicated help page: How do I activate an SSO connection with Lucca?
Frequently asked questions
From the answers provided, we can see that you need a login, which can either be the professional email address or the user's login, depending on your SSO configuration.
An employee or group of employees (not all) cannot connect to Lucca via SSO. What should I do?
The first thing to do is to check which connection method your employees are using. It may be that they're trying to log in using a method other than SSO, in which case this page won't solve the problem.
Most of the time, your employees will see this type of page:
For your part, a connection tracking space is available in your SSO administration module, except for Google SSO.
You can view errors and connection failures at any time, over a defined period or by searching by employee. Here's an example of a “Signature verification failed” error on field “1”.
Take note of the error message for the employee(s) in question. Here are some potential solutions if you receive this message:
- No user found with that login... : the user does not yet have a Lucca account, or their contract has not started yet or it has ended;
- No user found with that login... : the login used by your employee does not exist in Lucca, e.g. the employee's email address on your identity provider is different from the professional email address in the employee's HR file in Lucca (or login, depending on the type of login you use);
- Several users have been found with that login... : the login used to connect is attached to several employees in Lucca. Typically, the professional email address used by your SSO is used as a professional email address for at least two employees in Lucca.
None of my employees can access the solutions. What should I do?
If the access problem is not local, but affects your entire establishment, you must specify this in the next support request.
When you log in, this screen appears:
Possible solution if your SSO is SAML 2.0:
It's likely that your certificate has expired. Check with your SSO team on the identity provider side to retrieve the metadata file or, ideally, the public URL for accessing the metadata.
To update it, there's a dedicated section: When and how do I update my authentication certificate (only for SSO with SAML 2.0)?
Possible solution if your SSO is an OAuth 2.0:
It's likely that, if this is a new setting, you entered the Secret ID rather than the Value during setup.
Generally speaking, the value is not in the form of 00000000-0000-0000-0000-000000000000, but rather in the form of a long password.
If you have tried these solutions, and you still haven't solved the problem, it's probably due to your identity provider.
When and how do I update my authentication certificate (only for SSO with SAML 2.0)?
Start by getting hold of your metadata file or the public URL for accessing metadata.
The URL enables you to automatically renew your certificate on a daily basis (every evening). If you have downloaded a file, you need to manually upload the new one.
All of this takes place in the dedicated tab:
We recommend using the URL and making the changes gradually, with a phase during which you share both the old and new information via this URL.
In addition, if you have our Poplee Core HR solution, create an alert with a due date to remind you when your certificate needs updating.
Can I set up different SSOs to access my Lucca environment?
Absolutely!
You can set up several SSOs to access your instance. By configuring your protocols, the connection window will show your employees a button for each of the protocols that are configured.
Users will have to select the one they want to use on the login page.
Remember that this help page is available to help you set up an SSO connection. The process is the same for the first as it is for any that follow: How do I activate an SSO connection with Lucca?
Can I set up SSO for mobile apps?
SSO is available on all Lucca mobile applications.
I want to change my protocol and/or identity provider. Is it complicated?
Absolutely not! You are completely free and autonomous in terms of administration and authentication methods.
From the module, you can activate and/or deactivate the protocol of your choice and set up your new protocol.
Here are a few tips:
- Before deactivating your existing configuration, create a new one and test it.
- Communicate internally
- While you make the change, point the old target to the new one using the URLs available in advanced options.
Once the changeover has been successfully completed, you can finally deactivate the old protocol.
Do I need to plan for service downtime to update the Service Provider?
Non. Protocols are activated and deactivated in real time.
However, if you have any redirection URLs to provide to your employees, please coordinate with your HR department.
Can I set up multi-factor authentication (MFA)?
MFA (multi-factor authentication) may be possible when connecting via SSO, but this is set up by your identity provider.
For all other requests
Here are some answers to commonly asked questions. If you still can't find the answer to your question, please contact customer support and specify the following information in your request:
- Employee(s) concerned
- Description of the problem
- Description of your SSO configuration on the identity provider side
- Description of your configuration on the Lucca side