The following document shows the steps for setting up Single Sign-On between your ADFS service and LUCCA solutions (SAML 2.0 protocol).
> The following example uses ADFS 3.0.
- Subscription to the LUCCA SSO option
- ADFS role installed
> The ADFS server must be attached to the Active Directory domain.
> An SSL certificate will be used for communication between the ADFS server, LUCCA and the proxy servers. It will allow federation servers to sign tokens issued to users (users will have to trust this certificate).
Step 1: Create a relying party trust, i.e. LUCCA
From the ADFS Management Console, in the Actions column at the right, click on Add Relying Party Trust
Follow the steps in the Add Relying Party Trust Wizard:
- Select Data Source: select the first option Import data about the relying party published online or on a local network and indicate the metadata URL that the LUCCA teams gave you.
- Specify Display Name: you can customise the pre-filled value: this is the name given to your ADFS configuration for LUCCA
- Choose Issuance Authorization Rules: select Permit all users to access this relying party.
Next, a summary of information retrieved from LUCCA appears (identifier, endpoint, signing certificate, encryption certificate, etc.).
Step 2: Send an AD attribute, unique identifier
By default, the Edit Claim Rules interface is brought up by the wizard at the end of step 1. If not, click on Edit Claim Rules from the configuration you just created for LUCCA.
From the Issuance Transform Rules tab, click on Add Rule...
Select Send LDAP Attributes as Claims
After entering a rule name, select the corresponding attribute store (in this case, Active Directory).
Next, select a single LDAP Attribute to send in the token issued by your ADFS service: this is a unique identifier (email address or login name) that allows LUCCA to match the professional email address/personal email address fields or the login field from user files.
Last, for the Outgoing Claim Type, select Name ID.
Step 3: Set up LUCCA
Using our online form, please send the following information:
- metadata for your ADFS service
- the LUCCA field corresponding to the AD attribute sent in the token (step 2): email address or login name
The public URL for accessing your ADFS metadata is preferred. It is generally in the following format:
Note: if the ADFS certificate renews, you will need to send us the new certificate first using our online form in order to avoid any service interruption.