This feature is available in Lucy 4.6 or newer version.

This article describes step by step instruction of the SSO integration with Azure AD. An additional information about what SSO in Lucy is designed for can be found here.

• Upload or create an SSL certificate for Lucy Admin console - see this article.

• Make sure you have an Administrator account in Lucy (Settings > Users) with an email address that corresponds to your account in Azure Active Directory. Both accounts must have the same email address:

• Add a new non-gallery web app to your Azure AD, see more here

• Open Lucy Admin console
• Navigate to the SSO Configuration page (Settings > SSO Settings)
• Active the option "Enable Active Directory FS"
• Download a pre-configured SAML metadata file (copy the URL and paste into your web browser address bar, change the extension of the file to .XML, for example "lucy-sp.xml")

• Configure SAML-based single sign-on to your non-gallery application, see more here

• Upload the pre-configured SAML metadata file

• Add a new Claim "mail" that contain an e-mail address of the user, see more here

Note The attribute user.mail is always empty if the user does not exist in your Office 365 Exchange server. Instead you will have to use the attribute user.userprincipalname or other one that contains user's email address.

• Configure Azure AD SAML token encryption, see more here

Do not forget to activate the encryption for the uploaded certificate

• Download the FederationMetadata.xml file from Azure AD and fill the Identity Provider Endpoint and Certificate Thumbprint in Lucy

• Make sure you have added users to your app

• Navigate to the SSO Configuration page in Lucy Admin console and click the button Test Connection:

• You will be immediately forwarded to the Microsoft login page. Enter your username and password:

• Once signed in, you will be bounced back to Lucy Admin console. If an error occurs, double-check everything and then check the Sign-ins page within the Activity section for hints as to what could have gone wrong.

• I am redirected back to Lucy's login page after successful authorization through the Single sing-on.

If you are getting back to the login page, try checking the Claim rules (see the section Enable Single sign-on in Lucy, "Add a new Claim 'mail'…"). There must be a claim named "mail", with empty "Namespace" and Source attribute that contains user email address. For example: