Background information
The following document provides the information required for setting up Single Sign-On between your identity provider (directory) and LUCCA solutions using the SAML 2.0 protocol.
> Numerous solutions implement the SAML 2.0 protocol by default: Oracle, Citrix, Okta, Azure AD, ADFS, etc.
- For Microsoft ADFS, you can use the following help page: Microsoft ADFS SSO - Active Directory Federation Services
- For Azure AD, you can use the following help page: Azure Active Directory SSO (SAML 2.0)
Name
IdP | Identity Provider | the service linked to your internal directory |
SP | Service Provider | the LUCCA solutions |
Prerequisites
- Subscription to the LUCCA SSO option
- Having an identity provider that supports the SAML 2.0 protocol
- Retrieving the SP metadata URL from the LUCCA teams
Step 1: Integrating SP metadata
Using the metadata provided by our teams, simply configure a SAML 2.0 app on your IdP on behalf of the LUCCA SP.
Step 2: Unique user identifier
Your IdP returns a single user attribute to the LUCCA SP (unique identifier) in the SAML 2.0 token.
LUCCA SP matches the user identifier received with the login data integrated into the LUCCA database. This is either the professional email address or login field.
Once authenticated, the user is assigned a LUCCA session.
Step 3: Security level
The AuthRequest authentication request generated by our SP will be signed. The token returned by your IdP can be signed in the SAML Response and/or SAML Assertion.
The SAML Assertion node can also be encrypted.
Step 4: Set up LUCCA
Using our online form, please send the following information:
- the IdP metadata
- the token’s security level
- SAML Response signature: YES/NO
- SAML Assertion signature: YES/NO
- SAML Assertion encryption: YES/NO
- the LUCCA field corresponding to the user ID sent in the token (step 2): email address or login name
> A public URL for accessing IdP metadata is preferred. This way, if the IdP certificate is renewed, the configuration within our SP can be updated automatically.
> However, if you decide not to make your IdP (and consequently the metadata) public, you can send us the XML metadata file.
Note: if the IdP certificate renews, you will need to send us the new certificate first using our online form in order to avoid any service interruption.