Product Selector

Fusion 5.9
    Fusion 5.9

    Single sign-on authentication

    This article describes features that are only available in certain packages. See Lucidworks Feature Limited Availability for details, or reach out to your Lucidworks representative.

    Lucidworks Platform supports single sign-on (SSO), which restricts user logins to specified email domains and uses your organization’s identity provider authentication method instead of Lucidworks' built-in authentication. Workspace owners can configure SSO via OpenID Connect (OIDC) or Security Assertion Markup Language (SAML).

    OIDC Authentication

    OIDC is an authentication protocol based on the OAuth 2.0 framework, which uses HTTPS endpoints to retrieve user data. It uses JSON web tokens (JWT) to authenticate user identity data (also known as claims). Tokens are digitially signed and can also be encrypted.

    Complete all of the following procedures to configure OIDC authentication.

    1. Create users in Lucidworks Platform

    Prerequisites

    1. Users must be added to the Lucidworks Platform.

    2. Users must exist in your OKTA instance, and be enabled for the OKTA application you are using to connect with Lucidworks Platform.

    3. The user’s email address in OKTA and Lucidworks Platform must match.

    1. Sign in to Lucidworks Platform and click Settings > Users & Provisioning > Users.

    2. Verify all necessary users are listed, active, and their emails match their Okta user counterparts.

    3. If any users are missing, add the appropriate users by completing the steps in invite users.

    2. Create a new application in Okta

    1. Set up a new application in Okta. The following fields are specific to setting up an integration with Lucidworks:

      • Sign-in method: Select OIDC.

      • Application type: Select Web Application.

      • Sign-in redirect URIs: Leave this blank for now. You’ll configure it in a later step.

      • Logout redirect URIs: Remove all URIs.

      • Controlled access: Choose Allow everyone in your organization to access.

      • Enable immediate access: Uncheck Enable immediate access with Federation Broker Mode.

    2. After creating the OIDC app, copy the Client ID and the Client Secret, and save them in a secure location.

      The Client ID and the Client Secret credentials are critical for OIDC communication and must be kept secure.

    3. Assign at least one user and one admin to the application. These users must already exist in Lucidworks Platform. You must assign yourself as one of the users to be able to complete the authentiation configuration.

    3. Create the Identity Provider in Lucidworks Platform

    1. Sign in to Lucidworks Platform and click Settings > Users & Provisioning > Authentication > OIDC.

    2. Enter values in the required fields:

      • Email Domains: Enter the list of domains you want to use as filter options, for example, \lucidworks.com.

        Be careful not to lock yourself out at this step in the process. If you list a domain that you already use to log into Lucidworks Platform, and you don’t complete the rest of the steps listed here, then you will be prompted to log in via SSO the next time you log out, which won’t work. If you are unable to log into Lucidworks Platform, contact Support or your Lucidworks representative.

      • Enter the Client ID and Client Secret provided by your Okta OIDC application.

      • Enter the Configuration URL provided by your Okta instance.

        To get the full OIDC configuration URL, append /.well-known/openid-configuration to your Issuer URL. For example, if your issuer is https://lucidworkstest.oktapreview.com, the full configuration URL would be: https://lucidworkstest.oktapreview.com/.well-known/openid-configuration

    3. Click Save.

    4. The Identity Provider process may take several minutes to complete. Once finished, the URLs for IDP Configuration display on the right side of the screen. Copy the Redirect URL and save it in a secure location.

    4. Configure the application in Okta

    1. In Okta, navigate to the application you created for Lucidworks SSO.

    2. In the General Settings, click Edit.

    3. In Sign-in redirect URIs click Add URI. Paste the Redirect URL generated by Lucidworks Platform.

    4. Click Save.

    5. Test SSO functionality

    After configuring both Identity Provider and the application, test the integration by attempting to log into Lucidworks Platform with one of the users assigned to the application. If the configuration is successful, you are prompted to log in with your Okta authentication.

    SAML authentication

    SAML is an XML-based protocol that uses HTTP to authenticate and authorize user data. In a SAML workflow, Lucidworks Platform is the Relying Party (RP) that requests and receives SAML assertions from the identity provider.

    1. Create users in Lucidworks Platform

    Prerequisites

    1. Users must be added to the Lucidworks Platform.

    2. Users must exist in your OKTA instance, and be enabled for the OKTA application you are using to connect with Lucidworks Platform.

    3. The user’s email address in OKTA and Lucidworks Platform must match.

    1. Sign in to Lucidworks Platform and click Settings > Users & Provisioning > Users.

    2. Verify all necessary users are listed, active, and their emails match their Okta user counterparts.

    3. If any users are missing, add the appropriate users by completing the steps in invite users.

    2. Create a new application in Okta

    1. Set up a new application in Okta. There are a few settings specific to setting up an integration with Lucidworks:

      • Sign-in method: Select SAML 2.0.

      • Single Sign On URL (ACS URL): Enter a placeholder URL for now. You’ll configure it in a later step.

      • Audience URI (SP Entity ID): Enter a placeholder URL for now. You’ll configure it in a later step.

      • Name ID Format: Select the appropriate Name ID format. This is usually EmailAddress.

      • Application username: Choose how Okta should map the user’s application username. For example, their Okta username or email address.

    2. After creating the OIDC app, go to the Sign On tab, copy the Metadata URL, and save it in a secure location.

      The Metadata URL is critical for SAML communication and must be kept secure.

    3. Assign at least one user and one admin to the application. These users must already exist in Lucidworks Platform. You must assign yourself as one of the users to be able to complete the authentiation configuration.

    3. Create the Identity Provider in Lucidworks Platform

    1. Sign in to Lucidworks Platform and click Settings > Users & Provisioning > Authentication > SAML.

    2. Fill out required fields:

      • Email Domains: Enter the list of domains you want to filter by, for example, \lucidworks.com.

        Be careful not to lock yourself out at this step in the process. If you list a domain that you already use to log into Lucidworks Platform, and you don’t complete the rest of the steps listed here, then you will be prompted to log in via SSO the next time you log out, which won’t work. If you are unable to log into Lucidworks Platform, contact Support or your Lucidworks representative.

      • Enter the Metadata URL provided by your Okta SAML application.

    3. Click Save.

    4. The Identity Provider process may take several minutes to complete. Once finished, the URLs for IDP Configuration display on the right side of the screen:

      • Audience URI

      • Assertion Consumer Service URL

    5. Copy the URLs and save them in a secure location.

    4. Configure the application in Okta

    1. In Okta, navigate to the application you created for Lucidworks SSO.

    2. In the SAML Settings, click Edit.

    3. In Single Sign On URL (ACS URL) paste the Assertion Consumer Service URL generated by Lucidworks Platform.

    4. In Audience URI (SP Entity ID) paste the Audience URI generated by Lucidworks Platform.

    5. Optional: Configure attribute mappings to send additional user information to Lucidworks Platform.

      Name Name Format Value

      Email

      email

      Unspecified

      user.email

      First Name

      firstName

      Unspecified

      user.firstName

      Last Name

      lastName

      Unspecified

      user.lastName

      Username

      username

      Unspecified

      user.login

    6. Click Save.

    5. Test SSO functionality

    After configuring both Identity Provider and the application, test the integration by attempting to log into Lucidworks Platform with one of the users assigned to the application. If the configuration is successful, you are prompted to log in with your Okta authentication.