Before you get started
OAuth 2.0 and SAML 2.0 protocols are available for integrating with Azure AD.
The following document provides the necessary information for setting up single sign-on between Azure AD and LUCCA solutions via the SAML 2.0 protocol (available only for Azure AD Premium subscriptions).
For the OAuth 2.0 protocol, please refer to the following help page: SSO Azure AD with OAuth 2.0 protocol
Step 1: Creating the configuration in Lucca
This operation must be performed by an administrator or a user with access to the "Authentication and SSO parameters" module.
1. Activate the appropriate authentication method depending on the protocol (OAuth 2.0, SAML 2.0, ...) and your IdP.
2. Get a range of information in the “Lucca service provider information” section. In this example, it is a SAML 2.0 protocol, but it is applicable for other protocols:
- Your connection URL;
- Your response URL;
- Your metadata URL (SAML2.0 only);
- Your Lucca identifier (SAML2.0 only).
Step 2: Creating a SAML 2.0 application
1. From the Azure Active Directory management interface, click on the Enterprise Applications menu.
2. Click on New application
3. Select Non-gallery application and enter an app description (e.g. Lucca), then click on Add.
4. Choose the SAML protocol.
5. Upload the XML metadata file (from the metadata URL provided by Lucca), then save the default configuration generated.
6. Edit User Attributes and Claims to send a single attribute in the SAML token: this is a unique identifier (email address or login) enabling LUCCA to match the professional email addresses field or the login field to user files.
Unique User Identifier => user.userprincipalname
Finally, save the Federation Metadata URL.
7. (optional) You can change the SAML token signing policy: sign SAML Assertion and/or SAML Response (only SAML Assertion node by default).
From the Enterprise applications tab, you will find the OAuth 2.0 application created for LUCCA. Future users of LUCCA solutions will need to be granted the necessary rights.
Step 3: Setting up LUCCA
This operation must be performed by an administrator.
Once the configuration has been completed in your Azure Active Directory management interface, you will need to return to Lucca's authentication parameters to enter the following information:
- the LUCCA field corresponding to the Azure AD attribute sent in the token (step one): email address or login (point 1);
- Federation Metadata URL (point 2);
- The chosen SAML signing policy (point 3).
Once this information has been entered and saved, you can activate the SSO connection as soon as you are ready:
Once the SSO login has been activated, you can deactivate the ability for employees to access the Lucca login page which allows your employees to log in with their Lucca login and a personalized password, by deactivating the "Lucca login/password login".
Renewing your certificate
If you have set up a Public URL for metadata access, our authentication service will remain up to date even in the event of renewal.