---
title: "Configuring External Authentication"
description: "In the External authentication workspace of the Lucanet CFO Solution Platform, you can configure that a user is authenticated via a central instance in the network. The separate maintenance of the password for access to the CFO Solution Platform can then be omitted."
source_url: https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication
language: en
last_updated: 2023-08-16
---
# Configuring External Authentication

## Overview

In the **External authentication** workspace of the **Lucanet CFO Solution Platform**, you can configure the activation or deactivation of a new External Identity Provider based on your preference. This means that a password no longer needs to be maintained separately for accessing the CFO Solution Platform.

External authentication using [OIDC](https://support.lucanet.cloud/en/documentation/glossary.md#oidc) (OpenID Connect) and [SAML](https://support.lucanet.cloud/en/documentation/glossary.md#saml) (Security Assertion Markup Language) is possible for the Lucanet CFO Solution Platform.

## Activating External Authentication

To activate external authentication for the Lucanet CFO Solution Platform:

{% stepper %}
{% stepper-step %}
Click **Administration**.
{% /stepper-step %}
{% stepper-step %}
Open the **External authentication** workspace in the **Platform management**:

Open 'External authentication' workspace

{% /stepper-step %}
{% stepper-step %}
Activate the **Activate external authentication** checkbox.
{% /stepper-step %}
{% stepper-step %}
Select the authentication method to be used and then configure it:

 - **OIDC** (see [Configuring OIDC](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication.html?appId=aemshell.md#OICD))
 - **SAML** (see [Configuring SAML](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication.html?appId=aemshell.md#SAML))
{% /stepper-step %}
{% stepper-step %}
Click **Apply** to save your configuration.

{% /stepper-step %}
{% /stepper %}
## Configuring External Authentication

The configurations depend on which authentication method you have selected:

### Configuring OIDC

If you have selected **OIDC** as the authentication method, the following options are displayed:

Options for the configuration of 'OIDC'

To configure external authentication with **OIDC**:

#### Client ID

Enter the OIDC **Client ID**.

{% warning-box %}
The client can be represented by different concepts in different identity providers, e.g:

- [App registration (Microsoft Entra ID)](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication/entra-id-registration-OIDC.md)
- OIDC app integration (Okta)
{% /warning-box %}

#### Client Secret

Enter the **Secret** for the OIDC client.

#### Issuer URL

URL for the OIDC implementation of your identity provider. The issuer URL is the base address from which the known metadata endpoints (including the OIDC configuration and the JSON web key set) are accessible.

#### Authorized scopes

The **authorized scopes** represent the level of access to your users' profiles that is requested by the Lucanet CFO Solution Platform. This must be configured correctly in the OIDC client.

Copy the **Authorized scopes** displayed and paste them into the configuration of your OIDC client.

#### Sign-in redirect URL(s)

The **sign-in redirect URL** is the address to which users are redirected after authentication with your identity provider. The sign-in redirect URL must be configured in the OIDC client.

Copy the displayed sign-in **redirect URL** and paste it into the configuration of your OIDC client.

{% idea-box %}
For more information on configuration steps in Microsoft Entra ID/Azure, see [Configuring Lucanet OIDC Authentication with Microsoft Entra ID/Azure](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication/entra-id-registration-OIDC.md).
{% /idea-box %}

### Configuring SAML

If you have selected **SAML** as the authentication method, the following options are displayed:

Options for the configuration of 'SAML'

To configure external authentication with **SAML**:

#### Metadata Document URL

The **metadata document URL** is the address via which the SAML configuration document is accessible.

Enter the metadata document URL for the SAML implementation of your identity provider.

{% warning-box %}
Each identity provider uses a different format for the metadata URL, e.g:

- **Microsoft Entra ID**: https://login.micro​softonline.com/​ _<IYour-Tenant-ID>_/Federation​Metadata/​2007-06/​Federation​Metadata.xml?appid=xxxxxx?
- **Okta**: https:// _<Your-Okta-Domain>_/​app/​<app-instance-id>/​sso/​saml/​metadata
{% /warning-box %}

#### Attribute

- The name of the e-mail attribute sent by your identity provider to the Lucanet CFO Solution Platform.
- The canonical name is:\
\
##### http://schemas.​xmlsoap.org/​ws/​2005/​05/identity/​claims/​emailaddress

#### Reply URL

- The URL to which the SAML response is sent by your identity provider. The **reply URL** must be configured in the SAML integration for the Lucanet CFO Solution platform.
- The reply URL is also known as the **Assertion Consumer Service (ACS) URL** or **Single Sign-On URL**.

#### Entity ID

The unique identifier for the service provider for the Lucanet CFO Solution Platform. The service provider must be configured in the SAML integration for the Lucanet CFO Solution Platform.

Copy the displayed **Entity ID** and paste it into the SAML configuration of your service provider.

{% idea-box %}
For more information on configuration steps in Microsoft Entra ID/Azure, see [Configuring Lucanet SAML Single Sign-On with Microsoft Entra ID/Azure](https://support.lucanet.cloud/en/documentation/administration/platform-management/configure-ext-authentication/entra-id-registration-saml.md).
{% /idea-box %}

{% warning-box %}
In order to use external authentication of users, it must be activated in a further step in the properties of the desired user.

To do this, navigate to the **User** workspace and edit the properties of the users who are to log in to the **Lucanet CFO Solution Platform** using external authentication. For additional information see [Creating and Editing Users for the Lucanet CFO Solution Platform](https://support.lucanet.cloud/en/documentation/administration/user-management.md).
{% /warning-box %}