In the External authentication workspace of the Lucanet CFO Solution Platform, you can activate or deactivate an external identity provider. This means that a password no longer needs to be maintained separately for accessing the CFO Solution Platform.

External authentication using OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) is possible for the Lucanet CFO Solution Platform, with identity providers such as Microsoft Entra ID, Okta, or a custom provider.

To activate external authentication for the Lucanet CFO Solution Platform:

1

Click Administration.

2

Open the External authentication workspace in Platform management:

Shows the 'External authentication' workspace in the Platform management area.
Open 'External authentication' workspace
3

Activate the Activate external authentication check box.

4

Under Please choose the authentication procedure, select the combination of authentication protocol and identity provider that matches your setup:

Shows the authentication-procedure menu with the OIDC and SAML options for Entra, Okta, and Custom.
'Please choose the authentication procedure' menu

The configuration form then displays the fields and provider-specific hints for your selection.

5

Configure the displayed fields:

6

Click Apply to save your configuration.

The options you configure depend on the authentication protocol and identity provider you selected. Hover over the info icon next to a field to see provider-specific guidance.

If you selected an OIDC combination, the following options are displayed:

External authentication with the options to configure 'OIDC' for Microsoft Entra ID, including the Issuer URL validation.
Options for the configuration of 'OIDC'

To configure external authentication with OIDC:

OptionDescription
Client IDEnter the OIDC Client ID.

Note: The client can be represented by different concepts in different identity providers, for example:
App registration (Microsoft Entra ID)
• OIDC app integration (Okta)
Client secretEnter the secret for the OIDC client.

Note: For security reasons, the full client secret cannot be displayed after activation.
Issuer URLThe base address from which your identity provider's well-known OIDC metadata endpoints (including the OIDC configuration and the JSON Web Key Set) are exposed.

The required format depends on your identity provider:
Microsoft Entra ID: https://sts.windows.net/{tenant-id}/
Okta: https://{your-okta-domain}/oauth2/default

Note: The Issuer URL is validated in real time. If the value does not match the expected format for the selected identity provider, a validation message is displayed and you cannot save until you correct it. For a Custom provider, no provider-specific format is enforced.
Authorized scopesThe authorized scopes represent the level of access to your users' profiles that is requested by the Lucanet CFO Solution Platform. This must be configured correctly in the OIDC client.

Copy the authorized scopes displayed and paste them into the configuration of your OIDC client.
Sign-in redirect URL(s)The sign-in redirect URL is the address to which users are redirected after authentication with your identity provider. It must be configured in the OIDC client.

Copy the displayed sign-in redirect URL and paste it into the configuration of your OIDC client.

For more information on configuration steps in Microsoft Entra ID/Azure, see Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure.

If you selected a SAML combination, the following options are displayed:

External authentication with the options to configure 'SAML' for Microsoft Entra ID.
Options for the configuration of 'SAML'

To configure external authentication with SAML:

OptionDescription
Metadata document URLThe metadata document URL is the address via which the SAML configuration document is accessible.

Enter the metadata document URL for the SAML implementation of your identity provider.

Note: Each identity provider uses a different format for the metadata URL, for example:
Microsoft Entra ID: https://login.microsoftonline.com/{tenant-id}/
FederationMetadata/2007-06/FederationMetadata.xml?appid=xxxxxx
Okta: https://{your-okta-domain}/app/{app-instance-id}/sso/saml/metadata
Attribute• The name of the e-mail attribute sent by your identity provider to the Lucanet CFO Solution Platform.
• The canonical name is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, which is pre-filled by default.
Reply URL• The URL where the SAML response is sent by your identity provider. It must be configured in the SAML integration that represents the Service Provider of the Lucanet CFO Solution Platform to your identity provider.
• The reply URL is also known as the Assertion Consumer Service (ACS) URL or Single Sign-On URL.

Note: The SAML integration can be represented by various concepts in different identity providers, for example:
App registration (Microsoft Entra ID)
• SAML app integration (Okta)

Copy the displayed reply URL and paste it into your SAML integration.
Entity IDThe unique identifier for the Lucanet CFO Solution Platform Service Provider. It must be configured in the SAML integration that represents the Lucanet CFO Solution Platform to your identity provider. This is also known as the Audience URI.

Copy the displayed entity ID and paste it into the SAML configuration of your service provider.

Keep your SAML signing certificate valid. Lucanet reads the SAML signing certificate from the metadata document URL you configured. Before that certificate expires, Lucanet sends you a reminder e-mail. Renew or rotate the certificate at your identity provider in good time and make sure the metadata document served at your URL contains the new certificate before the current one expires. Otherwise, users may be unable to sign in with SAML.

For more information on configuration steps in Microsoft Entra ID/Azure, see Configuring Lucanet SAML Single Sign-On with Microsoft Entra ID/Azure.

In order to use external authentication of users, it must be activated in a further step in the properties of the desired user.

To do this, navigate to the User workspace and edit the properties of the users who are to log in to the Lucanet CFO Solution Platform using external authentication. For additional information see Creating and Editing Users for the Lucanet CFO Solution Platform.

When you activate external authentication for a user, the user receives an invitation e-mail with a Log In button that links directly to the login page.