SAML Authentication

SAML SSO is a mechanism to log users into the Lucity Web and Mobile applications securely without the need for them to enter a logon and password every time. This authentication allows advanced authorization techniques such as Multi-Factor Authentication (MFA). SAML works similarly to Windows Authentication from the perspective of end users, but may be usable in scenarios where Windows Authentication is not available, such as for logging in to tablets or for a Lucity Web application hosted in the cloud.

More information

For more information about SAML, we recommend the following:

• GIGYA

IDP Setup

1. Select an IDP - In order to use SAML, you must have a SAML "Identity Provider" (IDP). A SAML IDP is an organization that offers SAML Identity services. Here is a short list of some known SAML IDPs:
   • OneLogin
   • SecureAuth
   • OKTA
   • SalesForce
   • AWS SSO
   • Auth0
   • Microsoft SSO
   • More IDPs

     Important: While the Lucity system supports SAML authentication, configuring the IDP to communicate to Lucity is the client's responsibility. Each IDP's configuration is unique and may require special knowledge or licensing to configure correctly.

2. Once you have an IDP you will need to set it up with your user accounts by doing the following:
   1. Upload your user accounts to the IDP. This process should typically be automated so that each time a person joins or leaves the organization their account (typically active directory) is automatically synchronized with the IDP.
   2. Identify the information in the SAML account that will be used to link this account to Lucity. This could be:
      1. A unique email address tied to the SAML account

      OR

      1. The unique id for the SAML account
   3. Create an "Application" in the IDP. You may need to create several applications. If you want to use SAML with Lucity Web and also use SAML with a Lucity Tablet application, you will need at least two applications. The application will have the following properties:
      1. URL - The url for the SAML application that Lucity will access.
      2. Public Key (encoded) - The key to decrypt the SAML Assertion. This key may be awkward to obtain and will be obtained in different ways from different IDPs.
      3. SAML Consumer URL - The web page that the SAML IDP will call back in Lucity once the user has been authenticated at the SAML IDP.
         • Lucity Web - The SAML application for Lucity Web will have a Consumer URL ending in /Public/SAMLConsume.aspx. Example: https://servername/LucityWeb/Public/SAMLConsume.aspx.
         • Lucity Mobile - The SAML application for Lucity Mobile will have a Consumer URL ending in /LOGIN/SAML/ACS. Example: https://servername/LucityMobileServer/LOGIN/SAML/ACS

         Note: The URL only needs to be accessible by the user's local browser, so it CAN be an internal IP address.

Lucity Security Setup

After loading your Lucity users into the IDP you need to map them to Lucity.

1. Open the Lucity Security Program > Security menu > Users/Groups Setup.
2. Select a user and click Edit User(s).
3. The SAML account can be linked to the user in one of two ways. IMPORTANT: Whichever option you select must be used consistently to link SAML accounts to Lucity users.
   • Email - Enter the email address linked to the SAML account.
   • SAML Logon - Enter the logon id for the related SAML account.
4. Click Ok.

   Note: As this process will have to be completed for each user this would ideally be setup as a scheduled import.

   Lucity does not currently support any automatic integrations with IDP providers. Therefore when users are added to or removed from the IDP provider they will not automatically be added or removed from Lucity. This means that a user removed from the IDP provider may still be able to access Lucity using a different authentication type.

Lucity System Settings

Once the IDP is setup you will need to configure the following system settings.

• These settings are for all environments using SAML authentication.
  • When TRUE, use email for SAML Logon. When FALSE, use SAML ID - Enable this option if in the Lucity Security Setup section you opted to identify the record based only on the email address.
  • When TRUE SAML Logons are Enabled - Enable this option so the system can start accepting SAML logins. The option to sign in with SAML will appear on the login screen.
• Web Application - Fill these out if you are using SAML with Lucity Web.
  • URL of SAML SSO IDP - Enter the URL for the SAML application created to work with Lucity Web. This was done in the IDP Setup Step 5.a.
  • The public key to decrypt the SAML - Enter the Public Key for the SAML application created to work with Lucity Web. This was done in the IDP Setup Step 5.b.
• Android App - Fill these out if you are using SAML with Lucity Mobile Android.
  • Android Tablet App. URL of SAML SSO IDP - Enter the URL for the SAML application created to work with the Lucity Mobile Android app. This was done in the IDP Setup Step 5.a.
  • Android Tablet App. The public key to decrypt the SAML Assertion - Enter the Public Key for the SAML application created to work with the Lucity Mobile Android app. This was done in the IDP Setup Step 5.b.
• iOS - Fill these out if you are using SAML with Lucity Mobile iOS.
  • iOS Tablet App. URL of SAML SSO IDP - Enter the URL for the SAML application created to work with the Lucity Mobile iOS app. This was done in the IDP Setup Step 5.a.
  • IOS Tablet App. The public key to decrypt the SAML Assertion - Enter the Public Key for the SAML application created to work with the Lucity Mobile iOS app. This was done in the IDP Setup Step 5.b.

Result

Lucity Web

• The Lucity Login page should now have an option to Sign in with SAML.

  More information about bypassing the Lucity Web Login Screen