Before you get started
The following document outlines the steps involved in implementing single sign-on between your ADFS service and LUCCA solutions (SAML 2.0 protocol).
> The following example is based on ADFS 3.0.
Requirements
- Setting up the ADFS role
Step 1: Creating the configuration in Lucca
This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.
1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.
2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:
- Your connection URL;
- Your response URL;
- Your metadata URL (SAML2.0 only);
- Your Lucca identifier (SAML2.0 only).
Step 2: Creating a trusted party i.e. LUCCA
From the ADFS management interface, in the Actions right column, click on Add trusted party approval.
Follow the steps in the Add trusted party approval wizard:
- Select a data source by selecting the 1st option Import data published online or on a local network, concerning the trusted party and indicate the metadata URL provided in the Lucca interface.
- Enter full name: you can customize the pre-filled value: this will be the name of your ADFS configuration for LUCCA
- Choose emission authorization rules: select Allow all users access to this trusted party.
A summary of the information retrieved from LUCCA is then displayed (login, endpoint, signature and encryption certificates, etc.).
Step 3: Sending an AD attribute, unique identifier
By default, the Edit the claim rules interface is displayed by the wizard at the end of step one. Alternatively, click on Modify claim rules from the configuration just created for LUCCA.
From the Emission Transformation Rules tab, click on Add a rule ...
Select Send LDAP attributes as claims
After entering a rule name, select the corresponding attribute store (here Active Directory).
Then select a single LDAP Attribute to send in the token issued by your ADFS service: this is a unique identifier (email address or login) enabling LUCCA to match the business email address/personal email address fields or the login field of the user files.
Finally, for Outgoing claim type, select Name ID.
Step 3: Setting up LUCCA
This operation must be performed by an administrator.
Once the configuration has been completed in your ADFS management interface, you will need to return to Lucca's authentication parameters to enter the following information:
- the metadata of your ADFS service
- the LUCCA field corresponding to the AD attribute sent in the token (step 2): email address or login
Use the public URL to access your ADFS metadata. Generally, it is in the following format:
https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml
Once this information has been entered and saved, you can activate the connection via SSO as soon as you wish:
Once the login via SSO has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".
Certificate renewal cases related to the ADFS
If you have set up a public URL for metadata access, our authentication service will remain up to date even in the event of renewal.
If your certificate is in the form of a file, you will need to renew it using the following procedure: