SSO with SAML 2.0 protocol

Background information

The following document provides the information required for setting up Single Sign-On between your identity provider (directory) and LUCCA solutions using the SAML 2.0 protocol.

> Numerous solutions implement the SAML 2.0 protocol by default: Oracle, Citrix, Okta, Azure AD, ADFS, etc.


IdP Identity Provider the service linked to your internal directory
SP Service Provider the LUCCA solutions


  • Subscription to the LUCCA SSO option
  • Having an identity provider that supports the SAML 2.0 protocol
  • Retrieving the SP metadata URL from the LUCCA teams

Step 1: Integrating SP metadata

Using the metadata provided by our teams, simply configure a SAML 2.0 app on your IdP on behalf of the LUCCA SP.

Step 2: Unique user identifier

Your IdP returns a single user attribute to the LUCCA SP (unique identifier) in the SAML 2.0 token.

SAML_diagram__2_.pngLUCCA SP matches the user identifier received with the login data integrated into the LUCCA database. This is either the professional email address or login field.

Once authenticated, the user is assigned a LUCCA session.

Step 3: Security level

The AuthRequest authentication request generated by our SP will be signed. The token returned by your IdP can be signed in the SAML Response and/or SAML Assertion.

The SAML Assertion node can also be encrypted.

Step 4: Set up LUCCA

Using our online form, please send the following information:

- the IdP metadata

- the token’s security level

  • SAML Response signature: YES/NO
  • SAML Assertion signature: YES/NO
  • SAML Assertion encryption: YES/NO

- the LUCCA field corresponding to the user ID sent in the token (step 2): email address or login name

> A public URL for accessing IdP metadata is preferred. This way, if the IdP certificate is renewed, the configuration within our SP can be updated automatically.

> However, if you decide not to make your IdP (and consequently the metadata) public, you can send us the XML metadata file.

Note: if the IdP certificate renews, you will need to send us the new certificate first using our online form in order to avoid any service interruption.

Page content

Was this article helpful?
0 out of 0 found this helpful