SSO with SAML 2.0 protocol

Introduction

The following article describes the necessary information to implement a SOO between your Identity provider (directory) and Lucca solutions with the SAML 2.0 protocol.

> Many solutions implement the SAML 2.0 protocol by default : Oracle, Citrix, Okta, Azure AD, ADFS, etc. 

For Microsoft ADFS, you can follow the dedicated article : SSO Microsoft ADFS - Active Directory Federation Services

Denomination

IdP Identity Provider the identity provider, service linked to you internal directory
SP Service Provider the service provider, Lucca solutions

 

Requirements

  • Subscription to the SSO option
  • Having an Identity Provider, supporting the SAML 2.0 protocol
  • Collect the SP metadata URL provided by Lucca 

Step 1 : SP metadata intergration

Thanks to the metadata privided by Lucca, you have to set up a SAML 2.0 application on your IdP for the SP Lucca account. 

Step 2 : User unique identifier

Your IdP send to Lucca SP only one user attribute (unique identifier) in the SAML 2.0 token.

mceclip0.pngLucca SP matches the unique identifier with the login data stored in the Lucca data base. It can be the email of the login field.

Once logged in, the user is granted with a Lucca session. 

Step 3 : Security level

The authentication request AuthRequest generated by our Service Provider will be signed.

The token sent back by your IdP might be signed on the SAML Response and / or SAML Assertion.

Besides, the SAML Assertion node can be crypted.

Step 4 : LUCCA configuration

Thank you to send the following information via our online form :

- IdP metadata

- SAML token security level

  • SAMLResponse signature : YES/NO
  • SAMLAssertion signature : YES/NO
  • SAML Assertion encryption : YES/NO

- the Lucca field to be matched with the unique identifier send in the token (step 2) : email or login



> Communicating your IdP with a public access URL is better. In case of the certificat renewal, our SP configuration will be automatically updated.

> Should you decide not to expose publicly your metadata, you can send us the metadata XML file.

NB : in case of IdP certificat renewal, it will be necessary to communicate us the new certificat to avoid any service interruption.

Page content

Was this article helpful?
0 out of 0 found this helpful