Before you get started
- For Microsoft ADFS, see the following help page: SSO Microsoft ADFS - Active Directory Federation Services
- For Azure AD, please refer to the following help page: SSO Azure Active Directory (SAML 2.0)
- For other identity providers, please follow the instructions below
The following document provides the necessary information to set up single sign-on between your identity provider (directory) and LUCCA solutions, using the SAML 2.0 protocol.
Name
IdP | Identity Provider | the identity provider, a service linked to your internal directory |
SP | Service Provider | the service provider, LUCCA solutions |
Step 1: Creating the configuration in Lucca
This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.
1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.
2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:
- Your connection URL;
- Your response URL;
- Your metadata URL (SAML2.0 only);
- Your Lucca identifier (SAML2.0 only).
Step 2: SP metadata integration
Using the metadata provided in your LUCCA interface, you will need to configure a SAML 2.0 application on your IdP for the SP LUCCA account.
Your IdP returns a single user attribute (unique identifier) to SP LUCCA in the SAML 2.0 token.
SP LUCCA matches the received user ID with the login information integrated in the LUCCA database. This is either the business email address field or the login field.
Once authenticated, the user is assigned a LUCCA session.
Step 3: Level of security
The AuthRequest generated by our SP will be signed. The token returned by your IdP can be signed at the level of SAML Response and/or SAML Assertion.
In addition, the SAML Assertion node can be encrypted.
Step 4: Configuring LUCCA
This operation must be performed by an administrator.
Once you have configured your interface, you need to return to Lucca's authentication parameters to enter the following information:
- The IdP metadata
- The token's security level
- Signature and encryption policy
- The LUCCA field corresponding to the user identifier sent in the token (step 2): email address or login
A public URL for access to IdP metadata is preferable. When the IdP certificate is renewed, the configuration in our SP can be automatically updated.
However, if you decide to not publicly expose your IdP (and therefore the metadata), you can send us the XML metadata file.
Note: if your IdP certificate is renewed, you will need to update it in your Lucca interface to avoid any service interruption.
The connection attribute lets you define which attribute (login or business email address) is sent by your identity provider to perform the connection.
Once this information has been entered and saved, you can activate the SSO connection as soon as you are ready:
Once the login via SSO has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".