Single Sign-On (SSO)

Authentication Mechanisms for SSO Implementation   

The Lucy team  recommends SAML 2.0. However, we can also support OpenId connect.

Setting Up SSO

Step 1: The customer will provide certificate and SSO endpoints

The Lucy team will need the following information to create a SAML Service provider connection in Auth0:

  • Sign In URL: SAML SSO URL to be used.
  • Sign Out URL: SAML Logout URL to be used.
  • Certificate: Public Certificate that Lucy should use to sign requests. A .pem or .cert file should work.
  • User Id Attribute: The attribute in the SAML token that will be mapped to the user_id property in Auth0

Step 2: Lucy to create connection and share entity details

Lucy will provide the following information:

  • Assertion Consumer Service URL or Application Callback URL
  • SAML metadata URL
  • Audience or Entity ID

Step 3: CLIENT to configure connection at Identity provider end accept SSO connections for entity provided by Lucy

Step 4: Testing the connection

Lucy will require a few test ids to ensure the connection is set up correctly.

  • Please provide details on how to login to SSO for testing.
  • It would help to have a contact person whom we can contact to troubleshoot if there are issues

User Attributes

We prefer the nameidentifier to = email address.

We also require the following attributes:

  • First name
  • Last name
  • Email (or nameidentifier if not email)

We support customers sending us a source ID or an ID that users maintain at their side.  Users will be tagged with a source ID for reporting.

If customers want to send additional attributes for business purposes (e.g. attributed based roles), development effort is required to map these attributes into Lucy. Additional scope may be required.

User identifier in Lucy is email. If email changes we need manual support to map the user to new email.

User Provisioning 

Does the customer want users to be auto provisioned? If yes, this is supported and has to be setup by the Lucy team. The customer is then responsible to setup roles in Lucy to maintain source continuity or data access.

Role Assignment

All Lucy users are added to a ‘Default’ role when created. Company Administrators can configure what content is available within the ‘Default’ role. When additional attributes are provided, based on business need, additional roles can be administered to assign new users to attribute based roles automatically. 

 

Was this article helpful?