Fullscreen Image

SAML Authentication Tab - Manage Company

To avoid forcing your employees to manage a new password for Lucernex it can be configured to use a Single Sign-On (SSO) authentication service that your organization uses. This allows Lucernex users to sign in using their existing network credentials.

This does not provide a single sign-on service, but uses the SSO service that your organization chooses. Standards, such as SAML Security Assertion Markup Language. SAML is an XML-based framework that allows for the exchange of security information. SAML enables organizations with different security domains to securely exchange authentication and authorization information. Using SAML, your organization can deliver information about user identities and access privileges to a cloud provider in a safe, secure, and standardized way., have become the de facto standard for most cloud and SaaS service providers, including Lucernex, Salesforce, WebEx, and Google Apps.

Contact your Accruent representative if you want to use SAML authentication for your firm.

ClosedMethod of Support

Lucernex supports clients that wish to authenticate 100% of their users using their own federation services as well as clients that only want to require authentication by their federation services for their internal staff or a sub-set of their users. Direct SAML/LDAP integration between the Lucernex Cloud and the client is supported, as is LDAP integration using OneLogin, a cloud-based identity and access management tool (IAM). Customers who are subscribers to OneLogin can add Lucernex as a provider and gain multi-factor authentication. Additional federation services can be utilized and will be supported as long as the federal service is SAML standards-compliant.

Lucernex supports a two-step login process. On the initial Login page, the user enters their username and Firm ID. If the user is valid, the Company has been configured to authenticate with SAML, and the Employer of the user is configured to be authenticated via SAML, then Lx Retail will call the client’s configured SAML server to authenticate the user. Upon successful authentication by the client authentication server, the user will be redirected to their Dashboard.

If the Company and the Employer are not configured for SAML support, then the system will proceed to the second login step, asking the user for a password. The user name, firm ID, and password combination will be passed to the Lucernex system for authentication. Any failed attempt to login will return the user to the Login page. On the Admin > Manage Company > Password Policy page, the client can set the maximum allowed number of failed login attempts and the lockout time duration.

ClosedFederation Services Supported

Lucernex supports these SSO identity providers:

  • Accruent Central Auth

  • Microsoft Active Directory

  • OKTA

  • OneLogin

  • PingOne

ClosedAdd custom TRAIN and PROD identifiers for Azure SAML SSO

Previously, our SAML Authentication page only allowed you to use Azure SAML single sign-on for one Lucernex environment at a time. This meant that most customers would only use Azure to authenticate for their production environments. This was frustrating for users, because they would need to remember a separate set of credentials to use for TRAIN or UAT instead of using their existing SSO login.

As of 22.08, we added the ability to add two custom entity IDs to your Azure SAML configuration. This enhancement allows you to use Azure to authenticate for both production and non-production environments.

To prevent existing SSO configurations from breaking, the entity ID fields are pre-populated with a default value that was previously hard-coded. This default value can be changed once you create unique entity IDs in Azure. Until the 22.08 Production release on August 5, you will only be able to change the ID for your non-production environment.

To create an entity ID in Azure:

  1. Sign in to Azure.

  2. Access the Enterprise Application you use to manage your SAML SSO.

  3. Select Single sign-on from the Manage menu.

  4. Click Edit button on the Basic SAML Configuration tile.

    The Basic SAML Configuration panel opens.

  5. Click Add identifier in the Identifier (Entity ID) section.

    A new row appears.

  6. Enter an identifier for your non-production environment in the field provided.

    The identifiers for your production and non-production environments must be different. IDs can contain up to 20 standard alphanumeric characters, including hyphens and underscores.

  7. Click Save button at the top of the panel.

  8. Notify your Accruent representative that you want to modify the Entity ID for your non-production SAML configuration.

  9. Provide the ID you created to your Accruent representative.

    Your Accruent representative may need to add your SAML authentication credentials to your non-production environment.

  10. After the Production release on August 5, repeat these steps if you want to create a unique Entity ID for your production environment.

ClosedSample SAML Messages

Lucernex’s SAML support uses the user name in the Lucernex database to synchronize with users in the client's federation service.

Outbound to client federation services

Copy 
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8056c7e4-7683-49e5-b5b4-6776fdad930e" Version="2.0" IssueInstant="2013-07-09T12:06:27" ProtocolBinding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:8020/RolloutManager/samlresponse.jsp">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.   0:assertion"> 
  https://app.   onelohhhgin.   com/saml/metadata/115064 
  </saml:Issuer> 
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.   0:nameid-format:unspecified" 
  AllowCreate="true"> 
  </samlp:NameIDPolicy> 
  <samlp:RequestedAuthnContext Comparison="exact"> 
  </samlp:RequestedAuthnContext> 
  <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.   0:assertion"> 
  urn:oasis:names:tc:SAML:2.   0:ac:classes:PasswordProtectedTransport 
  </saml:AuthnContextClassRef> 
</samlp:AuthnRequest>

Inbound to Lx Retail

Copy 
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="GOSAMLR13733900892262" Version="2.0"
IssueInstant="2013-07-09T17:14:49Z" Destination="{recipient}" InResponseTo="_369baf53-bd54-439b-9716-83c4454b9e8d">
  <saml:Issuer>https://app.   onelogin.   com/saml/metadata/115064</saml:Issuer> 
  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.   0:status:Success"/></samlp:Status> 
  <saml:Assertion xmlns:xs="http://www.   w3.   org/2001/XMLSchema" xmlns:xsi="http://www.   w3.   org/2001/XMLSchema-instance" Version="2.   0" 
ID="pfxd2c8bf3b-7fbe-c037-57db-d3bd9358d8e5" IssueInstant="2013-07-09T17:14:49Z">
  <saml:Issuer>https://app.   onelogin.   com/saml/metadata/115064 
  </saml:Issuer> 
  <ds:Signature xmlns:ds="http://www.   w3.   org/2000/09/xmldsig#"> 
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.   w3.   org/2001/10/xml-exc-c14n#"/> 
  <ds:SignatureMethod Algorithm="http://www.   w3.   org/2000/09/xmldsig#rsa-sha1"/> 
  <ds:Reference URI="#pfxd2c8bf3b-7fbe-c037-57db-d3bd9358d8e5"> 
  <ds:Transforms> 
  <ds:Transform Algorithm="http://www.   w3.   org/2000/09/xmldsig#enveloped-signature"/> 
  <ds:Transform Algorithm="http://www.   w3.   org/2001/10/xml-exc-c14n#"/> 
  </ds:Transforms> 
  <ds:DigestMethod Algorithm="http://www.   w3.   org/2000/09/xmldsig#sha1"/> 
 <ds:DigestValue>esF1zT55hAllqeohjT4enJXCjHI=</ds:DigestValue> 
  </ds:Reference> 
  </ds:SignedInfo> 
<ds:SignatureValue>izDqSx+02S0YfDKStnQPeHTzFNPoktekcy03Rxi/5uYVj0Z4PywV/SsvyUoZcvNjN8p+/3J0UQ5rkgtWZluhJgl+UwhbBuX71ddgQT29hetN3MDlui0L2sFONUOHsnpqo6jaYEFi0C
H3Qs/XXqUnKBTUY2R3TBtyoXnfIeHGKqygtQU9qTwbf27COsmcfb1nmqu0LO8opEfo/r8gbo7Ix4vfVUJ/uIJYEnEP1oRjq8FSOI8pXDzeXq5i7G1/CNnURCQnxuMK2MUMvthRoGwJRP9l6syy2dRg8
iJgs4N1A28gz8HExatsZ+Ald/gyrGlzErIZiXUP/Tl3cHoW83is2w==</ds:SignatureValue>
  <ds:KeyInfo> 
  <ds:X509Data> 
<ds:X509Certificate>MIICMTCCAiWgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoM
CE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEyMDQxMDE3MTgyN1oXDTE3MDQxMDE3MTgyN1owZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE
a+VTNiwzCU5yBXQ0OkdJdEJOwVmtv/dEp9E+t0O5oeY5PFhC6juNTMc+fJlDAfKILK3VpBAvGXwkFhDJUfrlGC0kOtVJEqywOBkj5d1Pj7uUOm0SEPHk81mIXO8xt56p0KTect2tw2+d3Uy4QZxPBs
N+rUiOsoI2mDtpx5GaobE/0qvieUok39UBb1S2crJqh0YESF3ulUM7WMgejNNExsBYxNujjvu9x1+L7hcn6ag7J0+xizoKVpbAGDe6Z9b/8drzi/YYqUQSQDpPU1h21Xs6U6QN0v7J24PfJCC0edI/dWa
2Xyw2RL1eN+cHV0ny/cZVpIp2mF8SAzBtbnLDAgMBAAEwAwYBAAMBAA==
  </ds:X509Certificate> 
  </ds:X509Data> 
  </ds:KeyInfo> 
  </ds:Signature> 
  <saml:Subject> 
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.   0:nameid-format:transient">gvenkatesan</saml:NameID> 
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.   0:cm:bearer"> 
  <saml:SubjectConfirmationData NotOnOrAfter="2013-07-09T17:17:49Z" Recipient="{recipient}" 
InResponseTo="_369baf53-bd54-439b-9716-83c4454b9e8d"/>
  </saml:SubjectConfirmation> 
  </saml:Subject> 
  <saml:Conditions NotBefore="2013-07-09T17:11:49Z" NotOnOrAfter="2013-07-09T17:17:49Z"> 
  <saml:AudienceRestriction> 
  <saml:Audience>{audience}</saml:Audience> 
  </saml:AudienceRestriction> 
  </saml:Conditions> 
  <saml:AuthnStatement AuthnInstant="2013-07-09T17:14:48Z" SessionNotOnOrAfter="2013-07-10T17:14:49Z" SessionIndex="_fc0bf430-cae8-0130-5b4d-782bcb56fcaa"> 
  <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.   0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
  </saml:AuthnContext> 
  </saml:AuthnStatement> 
  </saml:Assertion> 
</samlp:Response>

Accruent logo in white text.

© Copyright Accruent 2025Privacy PolicyTerms of UseLegal