Configuring External Authentication

Getting Started

Global Functions

Administration

User Management

Managing the CFO Solution Platform

Managing Lucanet Licenses

Configuring External Authentication

Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure

Configuring Lucanet SAML Single Sign-On with Microsoft Entra ID/Azure

Configuring Customizations

Generating and Downloading SEA Certificates

Exchange Rate Management

Extended Planning & Analysis (xP&A)

Consolidation & Financial Planning

ESG Reporting

Disclosure Management

XBRL Tagger

Lease Accounting

Banking & Cash Management

Data Collection

Tax Compliance & Reporting

Glossary

In the External authentication workspace of the Lucanet CFO Solution Platform, you can configure the activation or deactivation of a new External Identity Provider based on your preference. This means that a password no longer needs to be maintained separately for accessing the CFO Solution Platform.

External authentication using OIDC (OpenID Connect) and SAML (Security Assertion Markup Language) is possible for the Lucanet CFO Solution Platform.

To activate external authentication for the Lucanet CFO Solution Platform:

Click Administration.

Open the External authentication workspace in the Platform management:

Open 'External authentication' workspace

Activate the Activate external authentication checkbox.

Select the authentication method to be used and then configure it:

OIDC

(see

Configuring OIDC

)

SAML

(see

Configuring SAML

)

Click Apply to save your configuration.

The configurations depend on which authentication method you have selected:

If you have selected OIDC as the authentication method, the following options are displayed:

External authentication with the options to configure 'OIDC'. — Options for the configuration of 'OIDC'

To configure external authentication with OIDC:

Option	Description
Client ID	Enter the OIDC Client ID. Note: The client can be represented by different concepts in different identity providers, e.g: • App registration (Microsoft Entra ID) • OIDC app integration (Okta)
Client Secret	Enter the Secret for the OIDC client.
Issuer URL	URL for the OIDC implementation of your identity provider. The issuer URL is the base address from which the known metadata endpoints (including the OIDC configuration and the JSON web key set) are accessible. Note: Each identity provider uses a different format for the issuer URL, e.g: • Microsoft Entra ID: https://login.microsoftonline.com/<your-tenant-id>/v2.0 • Okta: https://<your-okta-domain>/oauth2/default Enter the Issuer ID of your identity provider. Note: Only letters (a-z, A-Z), numbers (0-9), standard URL characters (-, ., /, :, _), and properly formatted query parameters (?, =, &) are allowed.
Authorized scopes	The authorized scopes represent the level of access to your users' profiles that is requested by the Lucanet CFO Solution Platform. This must be configured correctly in the OIDC client. Copy the Authorized scopes displayed and paste them into the configuration of your OIDC client.
Sign-in redirect URL(s)	The sign-in redirect URL is the address to which users are redirected after authentication with your identity provider. The sign-in redirect URL must be configured in the OIDC client. Copy the displayed sign-in redirect URL and paste it into the configuration of your OIDC client.

For more information on configuration steps in Microsoft Entra ID/Azure, see Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure.

If you have selected SAML as the authentication method, the following options are displayed:

External authentication with the options to configure 'SAML'. — Options for the configuration of 'SAML'

To configure external authentication with SAML:

Option	Description
Metadata Document URL	The metadata document URL is the address via which the SAML configuration document is accessible. Enter the metadata document URL for the SAML implementation of your identity provider. Note: Each identity provider uses a different format for the metadata URL, e.g: • Microsoft Entra ID: https://login.microsoftonline.com/<Your-Tenant-ID>/ FederationMetadata/2007-06/FederationMetadata.xml?appid=xxxxxx • Okta: https://<Your-Okta-Domain>/app/<app-instance-id>/sso/saml/metadata
Attribute	• The name of the e-mail attribute sent by your identity provider to the Lucanet CFO Solution Platform. • The canonical name is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Reply URL	• The URL to which the SAML response is sent by your identity provider. The reply URL must be configured in the SAML integration for the Lucanet CFO Solution platform. • The reply URL is also known as the Assertion Consumer Service (ACS) URL or Single Sign-On URL. Note: The SAML integration can be represented by various concepts in different identity providers, e.g: • App registration (Microsoft Entra ID) • SAML app integration (Okta) Copy the displayed Reply URL and paste it into your SAML integration.
Entity ID	The unique identifier for the service provider for the Lucanet CFO Solution Platform. The service provider must be configured in the SAML integration for the Lucanet CFO Solution Platform. Copy the displayed Entity ID and paste it into the SAML configuration of your service provider.

For more information on configuration steps in Microsoft Entra ID/Azure, see Configuring Lucanet SAML Single Sign-On with Microsoft Entra ID/Azure.

In order to use external authentication of users, it must be activated in a further step in the properties of the desired user.

To do this, navigate to the User workspace and edit the properties of the users who are to log in to the Lucanet CFO Solution Platform using external authentication. For additional information see Creating and Editing Users for the Lucanet CFO Solution Platform.