SSO Azure Active Directory (SAML 2.0)

Before starting

OAuth 2.0 and SAML 2.0 protocols are available to interface with Azure AD.

The following document provides the information required for setting up Single Sign-On between Azure AD and LUCCA solutions using the SAML 2.0 protocol (only available with Premium Azure AD subscriptions).

For the OAuth 2.0 protocol, you can use the following help page: SSO Azure AD with the OAuth 2.0 protocol

Step 1: Creating configuration in Lucca

This manipulation must be carried out by an administrator or a user with access to the “Authentication and SSO settings” module.

1. Enable the corresponding authentication method.

2. Retrieve different information from the “Lucca Service Provider Information” section:

  • Your metadata URL;
  • Your login URL;
  • Your reply URL;
  • Your Lucca identifier.

Step 2: Creating an SAML 2.0 application

1. From the Azure Active Directory management interface, click on the Enterprise applications menu.

2. Click on New application

3. Select Non-gallery application, enter an application Name (e.g. Lucca), then click Add.

4. Choose the SAML protocol.

5. Upload the metadata XML file (from the metadata URL provided by Lucca), then back up the default configuration generated.

6. Edit User Attributes & Claims to send a single attribute in the SAML token: this is a unique identifier (email address or login name) that allows LUCCA to match the professional email address field or the login field of user files.

Unique User Identifier => user.userprincipalname

Lastly, back up the Federation Metadata URL.

7. (Optional) You can change the signing certificate policy for SAML tokens (optional): sign SAML assertion and/or SAML Response (SAML Assertion node only by default).

From the Enterprise Applications tab, you will find the OAuth 2.0 application created for LUCCA. It will be appropriate to assign the necessary rights to future users of LUCCA solutions.

Step 3: LUCCA settings

This manipulation must be carried out by an administrator.

Once the configuration is complete in your Azure Active Directory management interface, you will need to return to the Lucca authentication settings to enter the following elements:

  • the LUCCA field to which the Azure AD attribute sent in the token corresponds (step 1): email address or login (point 1);
  • URL Federation Metadata (point 2);
  • SAML signature policy chosen (point 3).


Once this information has been entered and saved, you can activate the connection via SSO as soon as you wish:


Once the connection via SSO is activated, you can deactivate the possibility for your employees to arrive on the Lucca connection page which allows them to connect with their Lucca login and a personalized password by deactivating the “Lucca Login/Password connection”.

Certificate renewal

If you have set up a public URL for metadata access, our authentication service will remain up to date even in the event of renewal.


Page content

Was this article helpful?
0 out of 0 found this helpful