SSO Microsoft ADFS - Active Directory Federation Services (SAML 2)

Before you get started

The following document outlines the steps involved in implementing single sign-on between your ADFS service and LUCCA solutions (SAML 2.0 protocol).

> The following example is based on ADFS 3.0.

Requirements

  • Setting up the ADFS role

Step 1: Creating the configuration in Lucca

This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.

MerciApp_e54zozhQB9.png

1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.

MerciApp_flRw7FWTAp.png

2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:

  • Your connection URL;
  • Your response URL;
  • Your metadata URL (SAML2.0 only);
  • Your Lucca identifier (SAML2.0 only).

MerciApp_G4KJ8ZYlTG.png

MerciApp_rNAYIXR9U6.png

Step 2: Creating a trusted party i.e. LUCCA

From the ADFS management interface, in the Actions right column, click on Add trusted party approval.

mstsc_2019-02-08_17-20-37.png

Follow the steps in the Add trusted party approval wizard:

- Select a data source by selecting the 1st option Import data published online or on a local network, concerning the trusted party and indicate the metadata URL provided in the Lucca interface.

mstsc_2019-02-08_17-26-46.png

- Enter full name: you can customize the pre-filled value: this will be the name of your ADFS configuration for LUCCA

- Choose emission authorization rules: select Allow all users access to this trusted party.

mstsc_2019-02-08_17-28-11.png

A summary of the information retrieved from LUCCA is then displayed (login, endpoint, signature and encryption certificates, etc.).

Step 3: Sending an AD attribute, unique identifier

By default, the Edit the claim rules interface is displayed by the wizard at the end of step one. Alternatively, click on Modify claim rules from the configuration just created for LUCCA.

mstsc_2019-02-08_17-33-33.png

From the Emission Transformation Rules tab, click on Add a rule ...

mstsc_2019-02-08_17-52-10.png

Select Send LDAP attributes as claims

mstsc_2019-02-08_17-41-41.png

After entering a rule name, select the corresponding attribute store (here Active Directory).

Then select a single LDAP Attribute to send in the token issued by your ADFS service: this is a unique identifier (email address or login) enabling LUCCA to match the business email address/personal email address fields or the login field of the user files.

Finally, for Outgoing claim type, select Name ID.

mstsc_2019-02-08_17-47-13.png

Step 3: Setting up LUCCA

This operation must be performed by an administrator.

Once the configuration has been completed in your ADFS management interface, you will need to return to Lucca's authentication parameters to enter the following information:

  • the metadata of your ADFS service
  • the LUCCA field corresponding to the AD attribute sent in the token (step 2): email address or login

Use the public URL to access your ADFS metadata. Generally, it is in the following format:

https://adfs.company.com/FederationMetadata/2007-06/FederationMetadata.xml

Once this information has been entered and saved, you can activate the connection via SSO as soon as you wish:

mceclip1.png

Once the login via SSO has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".

Certificate renewal cases related to the ADFS

If you have set up a public URL for metadata access, our authentication service will remain up to date even in the event of renewal.

If your certificate is in the form of a file, you will need to renew it using the following procedure: 

mceclip0.png

Page content

Was this article helpful?
0 out of 0 found this helpful