Background information
OAuth 2.0 and SAML 2.0 protocols are available to interface with Azure AD.
The following document provides the information required for setting up Single Sign-On between Azure AD and LUCCA solutions using the SAML 2.0 protocol (only available with Premium Azure AD subscriptions).
For the OAuth 2.0 protocol, you can use the following help page: SSO Azure AD with the OAuth 2.0 protocol
Prerequisites
- Subscription to the LUCCA SSO option
- Retrieving the following information from the LUCCA teams: Metadata URL
Step 1: Creating an SAML 2.0 application
1. From the Azure Active Directory management interface, click on the Enterprise applications menu.
2. Click on New application
3. Select Non-gallery application, enter an application Name (e.g. Lucca), then click Add.
4. Choose the SAML protocol.
5. Upload the metadata XML file (from the metadata URL provided by Lucca), then back up the default configuration generated.
6. Edit User Attributes & Claims to send a single attribute in the SAML token: this is a unique identifier (email address or login name) that allows LUCCA to match the professional email address/personal email address fields or the login field of user files.
Lastly, back up the Federation Metadata URL.
7. You can change the signing certificate policy for SAML tokens (optional): sign SAML assertion and/or SAML Response (SAML Assertion node only by default).
Step 2: Authorise users to access the application
In the Enterprise applications tab, you will find the OAuth 2.0 application created for LUCCA. The rights needed by future LUCCA solutions users should be assigned.
Step 3: Setting up LUCCA
Using our online form, please send the following information from step 1:
- Federation Metadata URL
- The LUCCA field corresponding to the Azure AD attribute sent in the token (step 1): email address or login name
- The chosen SAML signing policy