Before you get started
OAuth 2.0 and SAML 2.0 protocols are available for integrating with Azure AD.
The following document provides the necessary information to set up single sign-on between Azure AD and LUCCA solutions using the OAuth 2.0 protocol.
For the SAML 2.0 protocol, follow the instructions below (available only for PREMIUM Azure AD subscriptions): SSO protocol SAML 2.0
Step 1: Creating the configuration in Lucca
This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.
1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.
2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:
- Your connection URL;
- Your response URL;
- Your metadata URL (SAML2.0 only);
- Your Lucca identifier (SAML2.0 only).
Step 2: Creating an OAuth 2.0 application
1. From the Azure Active Directory management interface, App registrations tab, click on New registration.
2. Enter the following information: Application name (this value is customizable), supported account type and response URL. Then click on Register.
3. From the overview, set aside the application ID and the directory ID.
4. From the Customization tab, enter the connection URL that you recovered in step one.
5. From the Certificates & secrets tab, click on New client secret, then enter a description and an expiry date (in this instance it never expires). Finally, click on Add.
Then save the generated key.
From the Enterprise Applications tab, you will find the OAuth 2.0 application created for LUCCA. Future users of LUCCA solutions will need to be granted the necessary permissions.
Step 3: Setting up LUCCA
This operation must be performed by an administrator.
Once the configuration has been completed in your Azure Active Directory management interface, you will need to return to Lucca's authentication parameters to enter the following information:
- Tenant ID
- Application ID
- the Secret Key: copy the Value data here (not the Secret ID), which is a character string containing letters, numbers and symbols.
The connection attribute lets you define which attribute (login or business email address) is sent by your identity provider to perform the connection.
For your information, the LUCCA authentication service will link the user email address (unique identifier) provided by Azure AD to the business email address field of LUCCA user files.
As a result, Azure AD business email addresses will have to be integrated into LUCCA solutions.
Once this information has been entered and saved, you can activate the SSO connection as soon as you are ready:
Once the login via SSO has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".