SSO Google (SAML 2)

Before you get started

We support the 2 authentication protocols OAuth 2.0 and SAML 2.0 for Google Identity Platform. The following document provides the necessary information to set up a single sign-on between Google Identity Platform and LUCCA solutions via the SAML 2.0 protocol.

Here is the help page for implementing the OAuth 2.0 protocol.

Step 1: Creating the configuration in Lucca

This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.

MerciApp_e54zozhQB9.png

1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.

MerciApp_flRw7FWTAp.png

2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:

  • Your connection URL;
  • Your response URL;
  • Your metadata URL (SAML2.0 only);
  • Your Lucca identifier (SAML2.0 only).

MerciApp_G4KJ8ZYlTG.png

MerciApp_rNAYIXR9U6.png

Step 2: Creating a SAML 2.0 application

1. From the Google Admin interface (administrator rights required), select Applications.

chrome_2019-02-11_15-28-57.png

2. Click on SAML Applications. then on the + button at the bottom right of the screen to add a new application.

chrome_2019-02-11_15-29-39.png

3. Select Configure my customized application.

chrome_2019-02-11_15-34-40.png

4. Download the IdP metadata file.

chrome_2019-02-11_15-34-59.png

5. Give the application an explicit name (this will be the name displayed in the Google menu).

You can download the LUCCA logo at the following URL:

https://design.lucca.fr/shared/lucca-256x256.png

chrome_2019-02-11_15-39-42.png

6. Enter the information obtained from the LUCCA interface. To do this, fill in:

  • the ACS URL (Google side) with the Response URL (Lucca side);
  • the entity ID (Google side) with the Lucca identifier (Lucca side);
  • the startup URL (Google side) with the connection URL (Lucca side).

7. Select the Signed response box and enter the name ID and name ID format as shown.

chrome_2019-02-11_15-43-35.png

7. Then click on Add a new mapping.

Application attribute to enter: 

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

General information and Primary email address can be selected.

chrome_2019-02-11_15-46-46.png

8. If all data has been entered correctly, the following message appears.

2019-02-11_15-51-13.png 

Once the application has been created, it needs to be activated for all users.

Note: activation may take several hours.

Step 3: Setting up LUCCA

This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.

Once the configuration has been completed in your Google management interface, you need to return to Lucca's authentication settings to integrate the metadata URL or, if applicable, the IdP file downloaded in step 2.

mceclip0.png

By default, the standard signature and encryption parameters are activated. These parameters can be modified if you have a specific configuration.

Once this information has been entered and saved, you can activate the SSO connection as soon as you are ready:

mceclip7.png

Once the login via SSO has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".

Page content

Was this article helpful?
2 out of 2 found this helpful