OAuth 2.0 and SAML 2.0 protocols are available to interface with Azure AD.
The following document provides the information required for setting up Single Sign-On between Azure AD and LUCCA solutions using the OAuth 2.0 protocol.
For the SAML 2.0 protocol, you can refer to the following help page (only available with PREMIUM Azure AD subscriptions): SAML 2.0 protocol SSO
Step 1: Creating configuration in Lucca
This manipulation must be carried out by an administrator or a user with access to the “Authentication and SSO settings” module.
1. Enable the corresponding authentication method.
2. Retrieve different information from the “Lucca Service Provider Information” section:
- Your metadata URL;
- Your login URL;
- Your reply URL;
- Your Lucca identifier.
Step 2: Creating an OAuth 2.0 application
1. From the Azure Active Directory management interface, in the App registrations tab, click on New registration.
2. Enter the following information: Application name (this value can be customised), supported account type and Redirect URL supplied by LUCCA’s teams. Then click Register.
3. From the overview, save both the application ID and directory ID.
4. From the Branding tab, enter the login URL provided by LUCCA’s teams.
5. From the Certificates & secrets tab, click on New client secret, then enter a description and expiration date (in the example: ‘Never’). Lastly, click on Add.
Then save the generated key.
Watch out, you have to fill in the Value data, not Secret ID.
From the Enterprise Applications tab, you will find the OAuth 2.0 application created for LUCCA. It will be appropriate to assign the necessary rights to future users of LUCCA solutions.
Step 3: Setting up LUCCA
This manipulation must be carried out by an administrator.
Once the configuration is complete in your Azure Active Directory management interface, you will need to return to the Lucca authentication settings to enter the following elements:
- Tenant ID
- Application ID
- Secret Key: paste the Value data (not Secret ID), which is a chain of characters with letters, numbers and symbols.
The connection attribute will allow you to define which attribute (login or professional email address) is sent by your identity provider to make the connection.
For your information, the LUCCA authentication service will match the user email address (unique identifier) provided by Azure AD to the professional email address field of the LUCCA user files.
As a result, Azure AD professional email addresses must be integrated into LUCCA solutions.
Once this information has been entered and saved, you can activate the connection via SSO as soon as you wish:
Once the connection via SSO is activated, you can deactivate the possibility for your collaborators to arrive on the Lucca connection page which allows them to connect with their Lucca login and a personalized password by deactivating the “Lucca Login/Password connection”.