Configuring External Authentication
Last updated on 2024-11-29
Overview
In the External authentication workspace of the Lucanet CFO Solution Platform, you can configure the activation or deactivation of a new External Identity Provider based on your preference. This means that a password no longer needs to be maintained separately for accessing the CFO Solution Platform.
External authentication using OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) is possible for the Lucanet CFO Solution Platform.
This article contains the following sections:
Activating External Authentication
To activate external authentication for the Lucanet CFO Solution Platform:
- Click Administration.
- Open the External authentication workspace in the Platform management:
Open 'External authentication' workspace - Activate the Activate external authentication checkbox.
- Select the authentication method to be used and then configure it:
- OIDC (see Configuring OIDC)
- SAML (see Configuring SAML)
- OIDC (see Configuring OIDC)
- Click Apply to save your configuration.
Configuring External Authentication
The configurations depend on which authentication method you have selected:
Configuring OIDC
If you have selected OIDC as the authentication method, the following options are displayed:
Option
Description
Client ID
Enter the OIDC Client ID.
The client can be represented by different concepts in different identity providers, e.g:
- App registration (Microsoft Entra ID)
- OIDC app integration (Okta)
Client Secret
Enter the Secret for the OIDC client.
Issuer URL
URL for the OIDC implementation of your identity provider. The issuer URL is the base address from which the known metadata endpoints (including the OIDC configuration and the JSON web key set) are accessible.
Each identity provider uses a different format for the issuer URL, e.g:
- Microsoft Entra ID: https://login.microsoftonline.com/<ihre-tenant-id>/v2.0
- Okta: https://<ihre-okta-domain>/oauth2/default
Enter the Issuer ID of your identity provider.
Authorized scopes
The authorized scopes represent the level of access to your users' profiles that is requested by the Lucanet CFO Solution Platform. This must be configured correctly in the OIDC client.
Copy the Authorized scopes displayed and paste them into the configuration of your OIDC client.
Sign-in redirect URL(s)
The sign-in redirect URL is the address to which users are redirected after authentication with your identity provider. The sign-in redirect URL must be configured in the OIDC client.
Copy the displayed sign-in redirect URL and paste it into the configuration of your OIDC client.
Option
Description
Metadata Document URL
The metadata document URL is the address via which the SAML configuration document is accessible.
Enter the metadata document URL for the SAML implementation of your identity provider.
Each identity provider uses a different format for the metadata URL, e.g:
- Microsoft Entra ID: https://login.microsoftonline.com/<IYour-Tenant-ID>/FederationMetadata/2007-06/FederationMetadata.xml
- Okta: https://<Your-Okta-Domain>/app/<app-instance-id>/sso/saml/metadata
Attribute
- The name of the e-mail attribute sent by your identity provider to the Lucanet CFO Solution Platform.
- The canonical name is:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Reply URL
- The URL to which the SAML response is sent by your identity provider. The reply URL must be configured in the SAML integration for the Lucanet CFO Solution platform.
- The reply URL is also known as the Assertion Consumer Service (ACS) URL or Single Sign-On URL.
The SAML integration can be represented by various concepts in different identity providers, e.g:
- App registration (Microsoft Entra ID)
- SAML app integration (Okta)
Copy the displayed Reply URL and paste it into your SAML integration.
Entity ID
The unique identifier for the service provider for the Lucanet CFO Solution Platform. The service provider must be configured in the SAML integration for the Lucanet CFO Solution Platform.
Copy the displayed Entity ID and paste it into the SAML configuration of your service provider.
In order to use external authentication of users, it must be activated in a further step in the properties of the desired user.
To do this, navigate to the User workspace and edit the properties of the users who are to log in to the Lucanet CFO Solution Platform using external authentication. For additional information see Creating and Editing Users for the Lucanet CFO Solution Platform.