SSO Configuration
Introduction
Lucy supports single sign-on for both Administrative and End-users through SSO/SAML. SAML (Security Assertion Markup Language) and OAuth 2.0 (Open Authorization) are widely recognized standards for authentication and authorization, each facilitating the implementation of SSO.
These technologies allow administrators/users to access Lucy using a single set of credentials, enhancing both user convenience and security. Although SAML and OAuth 2.0 aim to streamline authentication processes, they differ in their specific purposes and operational approaches:
Purpose: OAuth 2.0 is a framework for authorization. It enables applications to obtain limited access to user accounts on an HTTP service. While OAuth can be used for authentication (and often is, with extensions like OpenID Connect), its primary role is to authorize third-party applications to access a user's account without exposing their password.
How it works: OAuth 2.0 uses access tokens rather than user credentials to authorize requests. When a user logs into an application and consents to give it access to another service, the application receives an access token. This token is then used for subsequent requests to the service on behalf of the user.
Use Case: OAuth 2.0 is used in scenarios where an application needs to perform actions on behalf of a user without knowing their password.
Configuration
Before connecting to the Identity Provider, the following preparations are necessary:
SSL Certificate: Upload or create an SSL certificate for the Lucy Admin console. This step is crucial for ensuring that the connection and data exchanged between Lucy and Azure AD are secure.
Administrator Account Matching: Verify that you have an Administrator account in Lucy, which you can find under Settings -> Users -> Administrative Users. The email address associated with this account must match the email address of your account in the Identity Provider.
Please ensure to test the authentication via SSO before enabling the Auto Login feature. If Auto Login was activated and you are locked out of your Lucy server, please reach out to our technical support department for assistance with disabling the Auto Login feature.
Navigate to Settings -> Common System Settings -> SSO Settings
OAuth 2.0 (Entra ID)
App Registration
Ensure you have created the App Registration in Entra ID as outlined here.
Connect to Lucy
Add your Client ID, Client Secret, and Tenant ID from your Azure Entra ID application.
To integrate Lucy with your App Registration, it's essential to have global administrative consent for your organization. If the administrator account in Lucy lacks the necessary privileges to grant consent on behalf of the organization, refer to the guide provided below to establish a consent flow in Azure.
What API permissions are required for this integration?
Lucy is configured to utilize the Microsoft Graph API to access and manage various resources from Microsoft services. The configured permissions include both delegated permissions, which act on behalf of a user, and those requiring administrative consent to access specific types of data, like directory data and full user profiles. These permissions are in line with the version 1.0 standard of the Microsoft Graph API.
User.read
Delegated
Sign in and read user profile
No
Directory.Read.All
Delegated
Read directory data
Yes
Delegated
View users' email address
No
offline_access
Delegated
Maintain access to data you have given it access to
No
OpenID
Delegated
Sign users in
No
User.Read.All
Delegated
Read all users' full profiles
Yes
SAML 2.0 (Any)
The exact method of deploying a SAML application for SSO will vary depending on the application your organization uses. These are the general steps for deploying a SAML app and connecting with Lucy.
Configure the IdP
Define Lucy as a SP within the IdP, specifying its endpoint and required SAML attributes.
Upload IdP Metadata
In Lucy, navigate to Settings -> Common System Settings -> SSO Settings.
Enter your administrative domain and IdP endpoint.
Then, upload your IdP metadata file and paste in the thumbprint. Your IdP should provide a thumbprint for your X.509 certificate, but you can also use an online tool like https://www.samltool.com/fingerprint.php.
Lucy requires a SHA1 thumbprint. SHA256 or other algorithms will not work.
Attribute Mapping
Map user attributes from the IdP to fields in Lucy (e.g., email, full name) as required.
Test Authentication
Verify the SSO connection with the IdP by clicking Test Connection. Testing should be completed before enabling Auto Login to avoid login issues.
Enable Automatic Login (optional)
This setting allows seamless login but should be used carefully, as enabling it can restrict alternative access methods. Contact Lucy support if auto login prevents access.
SAML 2.0 (Entra ID)
Microsoft Entra ID also supports SSO using SAML 2.0.
Create Application
To begin, log in to your Entra ID portal and go to Manage -> Enterprise Applications. Select + New Application and then select the option for a Non-gallery application:
Click Create to create the new application.
App Configuration
Go to Manage -> Single Sign-On and select SAML for the SSO method.
Basic SAML Configuration
Click the Edit button and enter these values, then Save.
Identifier (Entity ID)
Reply URL (Assertion Consumer Service URL)
Attributes and Claims
Click the Edit button and then + Add new claim. Create a new claim called mail using the attribute user.mail, then click Save:
Add Users and Groups
Next go to Manage -> Users and Groups and select + Add user/group.
Search for and add your desired Users/Groups so they can use the application to log in to Lucy.
If you don't want to add specific users or groups to the application, go to Properties and set Assignment Required? to No:
Upload Certificate Data
In the SAML Certificates section download the Federation Metadata XML. In the Set up <Application Name> section, copy the Microsoft Entra Identifier.
In Lucy, go to Settings -> Common System Settings -> SSO Settings.
Select SAML 2.0 for the method.
Enter your Lucy admin domain in the Domain Name field.
Enter the Microsoft Entra Identifier in the Identity Provider Endpoint field.
Upload the Federation Metadata file in the Identity Provider Server XML metadata field.
The Thumbprint in Entra ID is created using SHA256. Lucy requires that the thumbprint be SHA1.
To get the SHA1 thumbprint open the metadata XML file and look for the field labeled X509Certificate
:
Copy only the text of the certificate and create a new file with this format (you can copy this text):
Save this as a .pem
file, then use an online tool or the openssl
command to get the SHA1 thumbprint:
Finally, paste the thumbprint in the Identity Provider Certificate Thumbprint field.
Click Save to apply the settings, then click Test Connection. You should be redirected to your SSO login page where you can test that your connection is working.
Last updated