User Tools

Site Tools


sso_authentication

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
sso_authentication [2019/07/09 11:48] – [Create the Relying Party Trust in AD FS] lucysso_authentication [2021/03/16 14:36] (current) lucy
Line 3: Line 3:
 ===== Background Info ===== ===== Background Info =====
  
-:!: This feature is available in Lucy 4.6 or newer version.+:!: This feature is available in Lucy 4.6 or newer version. \\ 
 +:!: We do not recommend using Let's Encrypt certificates with an SSO provider due to the short live term of charge-free certificates
  
 Lucy allows you to set the SSO authentication by using the Lightweight Directory Access Protocol (LDAP) to access Admin console and EndUser portal. This also allows you to use a non-unique link for the awareness website within a campaign. Lucy allows you to set the SSO authentication by using the Lightweight Directory Access Protocol (LDAP) to access Admin console and EndUser portal. This also allows you to use a non-unique link for the awareness website within a campaign.
Line 20: Line 21:
   * ADFS 4.0 (Windows Server 2016)   * ADFS 4.0 (Windows Server 2016)
   * ADFS 5.0 (Windows Server 2019)   * ADFS 5.0 (Windows Server 2019)
 +  * Azure AD (refer to [[sso_azure|this guide]] to have a detailed instructions)
 +  * Okta (refer to [[sso_okta|this guide]] for more details)
  
 The connection to the AD FS can be configured within the Settings / SSO Configuration:  The connection to the AD FS can be configured within the Settings / SSO Configuration: 
Line 74: Line 77:
   * On your AD FS server, open the **AD FS Management** console, expand **Trust Relationships** and select the **Relying Party Trusts** node. In the Actions pane, click **Add Relying Party Trust**:   * On your AD FS server, open the **AD FS Management** console, expand **Trust Relationships** and select the **Relying Party Trusts** node. In the Actions pane, click **Add Relying Party Trust**:
  
-**Attention** :!: If the Lucy Admin Console is configured on a non-standard port (for example, port 8443, see more [[firewall_security_settings|here]]), then you will need to add two separate entry of Relying Party Trust with the identical parameters, but different Federation metadata address (URL). \\+**Attention** :!: If the Lucy Admin Console is configured on a non-standard port (for example, port 8443, see more [[firewall_security_settings|here]]), then you will need to add **two separate entry of Relying Party Trust** with the identical parameters, but different Federation metadata address (URL): \\ 
 +The first will be: **https://lucydomain.com/service-provider/endpoint/metadata/lucy-sp** \\ 
 +Second: **https://lucydomain.com:8443/service-provider/endpoint/metadata/lucy-sp** \\ 
 +\\
 In case access to the Lucy Admin Console is limited to a range of IP addresses, you must include an ADFS server in this range. In case access to the Lucy Admin Console is limited to a range of IP addresses, you must include an ADFS server in this range.
  
Line 162: Line 168:
 {{ ::sso_ssl_for_awareness_website.png?600 |}} {{ ::sso_ssl_for_awareness_website.png?600 |}}
  
 +
 +===== Useful tips =====
 +
 +**How to update or replace SSL certificate used for SSO authentication?**
 +
 +You should first update your SSL certificate within the SSL Settings. Refer to this [[ssl_configuration|page]] for detailed instructions.
 +
 +Once the SSL certificate is updated, go to the SSO Settings page, upload XML metadata file and click Save button. To verify whether the certificate is applied, click "Download Certificate" link, open the file and check certificate details.
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
Line 176: Line 190:
  
 **Solution**: The time difference between AD FS and Lucy servers can cause an authentication problem. Make sure that the time zone setting is correct on the Advanced Settings page in Lucy. **Solution**: The time difference between AD FS and Lucy servers can cause an authentication problem. Make sure that the time zone setting is correct on the Advanced Settings page in Lucy.
 +
 +**Issue**: (AD FS) Login with a single sign-on sometimes does not work (it redirects to the Lucy's login page after successful login at AD FS website) . \\
 +
 +**Solution**: Disable the revocation check on your AD FS server by the PowerShell command (see details [[https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=win10-ps|here]]):
 +
 +<code>
 +Set-AdfsRelyingPartyTrust -TargetName "Your RelyingParty Name" -SigningCertificateRevocationCheck None
 +</code>
 +
 +**Issue**: (AD FS) Login with a single sign-on stopped working after update to Lucy 4.7 (it redirects to the Lucy's login page after successful login at AD FS website) . \\
 +
 +**Solution**: Update the Relying Party Trust on your Windows Server by clicking "Update from Federation Metadata..." link in AD FS Management console or through the [[https://docs.microsoft.com/en-us/powershell/module/adfs/update-adfsrelyingpartytrust|PowerShell]].
 +
 +**Issue**: A blank window appears after successful authentication at SSO provider website and there an error in the web server logs (Apache): "Uncaught exception 'SimpleSAML\\Error\\Error' with message 'ACSPARAMS'".
 +
 +**Solution**: Verify your SSO provider settings, make sure that all required attributes are passed to Lucy during Single sign-on authentication.
sso_authentication.1562665697.txt.gz · Last modified: 2019/07/25 12:50 (external edit)