The following article describes the necessary information to implement a SOO between your Identity provider (directory) and Lucca solutions with the SAML 2.0 protocol.
> Many solutions implement the SAML 2.0 protocol by default : Oracle, Citrix, Okta, Azure AD, ADFS, etc.
For Microsoft ADFS, you can follow the dedicated article : SSO Microsoft ADFS - Active Directory Federation Services
|IdP||Identity Provider||the identity provider, service linked to you internal directory|
|SP||Service Provider||the service provider, Lucca solutions|
- Subscription to the SSO option
- Having an Identity Provider, supporting the SAML 2.0 protocol
- Collect the SP metadata URL provided by Lucca
Step 1 : SP metadata intergration
Thanks to the metadata privided by Lucca, you have to set up a SAML 2.0 application on your IdP for the SP Lucca account.
Step 2 : User unique identifier
Your IdP send to Lucca SP only one user attribute (unique identifier) in the SAML 2.0 token.
Lucca SP matches the unique identifier with the login data stored in the Lucca data base. It can be the email of the login field.
Once logged in, the user is granted with a Lucca session.
Step 3 : Security level
The authentication request AuthRequest generated by our Service Provider will be signed.
The token sent back by your IdP might be signed on the SAML Response and / or SAML Assertion.
Besides, the SAML Assertion node can be crypted.
Step 4 : LUCCA configuration
Thank you to send the following information via our online form :
- IdP metadata
- SAML token security level
- SAMLResponse signature : YES/NO
- SAMLAssertion signature : YES/NO
- SAML Assertion encryption : YES/NO
- the Lucca field to be matched with the unique identifier send in the token (step 2) : email or login
> Communicating your IdP with a public access URL is better. In case of the certificat renewal, our SP configuration will be automatically updated.
> Should you decide not to expose publicly your metadata, you can send us the metadata XML file.
NB : in case of IdP certificat renewal, it will be necessary to communicate us the new certificat to avoid any service interruption.