Authentication – Manage Company

Your organization can configure Lucernex to use external authentication providers. This eliminates the need for users to manage a separate Lucernex password and allows them to sign in using existing network credentials.

Lucernex supports SAML-based authentication for organizations that use an external identity provider. Users sign in using the identity provider’s login workflow and are redirected back to Lucernex after validation.

Method of Support

Your firm can authenticate all users through SAML or restrict SAML authentication to specific employers. Lucernex supports direct SAML/LDAP integration as well as cloud-hosted identity providers.

Authenticate 100% of your users with your organization's own federation service or use your organization's federation services for internal staff or a sub-set of their users. Direct SAML/LDAP integration between the Lucernex Cloud and the client is supported, as is LDAP integration using OneLogin, a cloud-based identity and access management tool (IAM). If your organization can use multi-factor authentication if they subscribe to OneLogin.

Lucernex uses a two-step login process:

• The user enters a username and Firm ID.

• If the firm and employer are configured for SAML, Lucernex redirects the user to the identity provider.

If the Company and the Employer are not configured for SAML support, then the system proceeds to the second login step, asking the user for a password. The user name, firm ID, and password combination are passed to the Lucernex system for authentication. Any failed attempt to login returns the user to the Sign in page. On the Admin > Manage Company > Password Policy page, administrators can set the maximum allowed number of failed login attempts and the lockout time duration.

Supported Providers

Only one authentication provider should be active at a time. If Accruent Auth0, and Accruent Central Auth (IS3 and IS4) are enabled simultaneously, Accruent Auth0 takes precedence.

• Accruent Auth0 (replacing Accruent Central Auth)

• Accruent Central Auth (IS3 and IS4)

• Microsoft Active Directory

• OKTA

• OneLogin

• PingOne

Configure Accruent Auth0

Auth0 is the modern authentication provider supported by Lucernex. It simplifies configuration, supports multiple connection types, and is designed to replace legacy IS3/IS4 authentication.

Requirements

• Auth0 tenant with access to the Auth0 Dashboard.

• A configured Auth0 Application for Lucernex.

• The correct callback URL for your Lucernex environment.

1. In Auth0, open Applications and select the application used for Lucernex.

2. Locate these values in Auth0:

   • Domain

   • Client ID

3. On the Lucernex System Administrator Dashboard, select Manage Company > SAML Authentication.

4. Enter the Auth0 fields for the firm:

   • Audience: Optional. Not currently enforced.

   • Auth0 Enabled: Select to enable Auth0 for your firm.

   • Client ID: Enter the value from Auth0.

   • Domain: Enter the value from Auth0.

   • Redirect URI: https://<your-domain>/servlet/auth0cb

5. In each employer that is to use SAML, select Perform SAML Authentication for all Employer Members.

Configure other providers

1. Open Manage Company.

2. Select the SAML Authentication tab.

3. Complete the required SAML fields:

   • UserInfoURI

   • TokenURI

   • Tenant

   • RedirectURI

   • JwksURI

   • IssURI

4. In each employer that is to use SAML, select Perform SAML Authentication for all Employer Members.

Configure custom TRAIN and PROD identifiers for Azure

Configure separate entity IDs for production and non‑production Lucernex environments when using Azure SAML single sign-on.

Previously, the SAML Authentication page supported only a single Azure SAML configuration per customer. As a result, your organization may have configured Azure SSO for production only and used separate credentials for TRAIN or UAT.

From Lucernex 22.08, your organization can define two custom entity IDs in your Azure SAML configuration. This allows you to use Azure SSO for both production and non‑production environments.

1. Sign in to Azure.

2. Access the Enterprise Application you use to manage your SAML SSO.

3. Select Single sign-on from the Manage menu.

4. Select Edit in the Basic SAML Configuration tile.

   The Basic SAML Configuration panel opens.

5. Select Add identifier in the Identifier (Entity ID) section.

   A new row appears.

6. Enter an identifier for your non-production environment in the field provided.

   The identifiers for your production and non-production environments must be different. IDs can contain up to 20 standard alphanumeric characters, including hyphens and underscores.

7. Select Save at the top of the panel.

8. Notify your Accruent representative that you want to modify the Entity ID for your non-production SAML configuration.

9. Provide the ID you created to your Accruent representative.

   Your Accruent representative may need to add your SAML authentication credentials to your non-production environment.

10. Repeat these steps to create a unique Entity ID for your production environment.

Sample SAML Messages

Lucernex uses standard SAML 2.0 protocol messages for authentication. Examples include outbound AuthnRequest and inbound Response message structures.

If your firm is configured to do so, you can send a single sign-on invite to a contact.

This does not provide a single sign-on service, but uses the SSO service that your organization chooses. Standards, such as SAML Security Assertion Markup Language. SAML is an XML-based framework that allows for the exchange of security information. SAML enables organizations with different security domains to securely exchange authentication and authorization information. Using SAML, your organization can deliver information about user identities and access privileges to a cloud provider in a safe, secure, and standardized way., have become the de facto standard for most cloud and SaaS service providers, including Lucernex, Salesforce, WebEx, and Google Apps.

Contact your Accruent representative if you want to use SAML authentication for your firm.

Lucernex’s SAML support uses the user name in the Lucernex database to synchronize with users in the client's federation service.

Outbound to client federation services

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_8056c7e4-7683-49e5-b5b4-6776fdad930e" Version="2.0" IssueInstant="2013-07-09T12:06:27" ProtocolBinding="
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://localhost:8020/RolloutManager/samlresponse.jsp">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.   0:assertion"> 
  https://app.   onelohhhgin.   com/saml/metadata/115064 
  </saml:Issuer> 
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.   0:nameid-format:unspecified" 
  AllowCreate="true"> 
  </samlp:NameIDPolicy> 
  <samlp:RequestedAuthnContext Comparison="exact"> 
  </samlp:RequestedAuthnContext> 
  <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.   0:assertion"> 
  urn:oasis:names:tc:SAML:2.   0:ac:classes:PasswordProtectedTransport 
  </saml:AuthnContextClassRef> 
</samlp:AuthnRequest>

Inbound to Lx Retail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="GOSAMLR13733900892262" Version="2.0"
IssueInstant="2013-07-09T17:14:49Z" Destination="{recipient}" InResponseTo="_369baf53-bd54-439b-9716-83c4454b9e8d">
  <saml:Issuer>https://app.   onelogin.   com/saml/metadata/115064</saml:Issuer> 
  <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.   0:status:Success"/></samlp:Status> 
  <saml:Assertion xmlns:xs="http://www.   w3.   org/2001/XMLSchema" xmlns:xsi="http://www.   w3.   org/2001/XMLSchema-instance" Version="2.   0" 
ID="pfxd2c8bf3b-7fbe-c037-57db-d3bd9358d8e5" IssueInstant="2013-07-09T17:14:49Z">
  <saml:Issuer>https://app.   onelogin.   com/saml/metadata/115064 
  </saml:Issuer> 
  <ds:Signature xmlns:ds="http://www.   w3.   org/2000/09/xmldsig#"> 
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.   w3.   org/2001/10/xml-exc-c14n#"/> 
  <ds:SignatureMethod Algorithm="http://www.   w3.   org/2000/09/xmldsig#rsa-sha1"/> 
  <ds:Reference URI="#pfxd2c8bf3b-7fbe-c037-57db-d3bd9358d8e5"> 
  <ds:Transforms> 
  <ds:Transform Algorithm="http://www.   w3.   org/2000/09/xmldsig#enveloped-signature"/> 
  <ds:Transform Algorithm="http://www.   w3.   org/2001/10/xml-exc-c14n#"/> 
  </ds:Transforms> 
  <ds:DigestMethod Algorithm="http://www.   w3.   org/2000/09/xmldsig#sha1"/> 
 <ds:DigestValue>esF1zT55hAllqeohjT4enJXCjHI=</ds:DigestValue> 
  </ds:Reference> 
  </ds:SignedInfo> 
<ds:SignatureValue>izDqSx+02S0YfDKStnQPeHTzFNPoktekcy03Rxi/5uYVj0Z4PywV/SsvyUoZcvNjN8p+/3J0UQ5rkgtWZluhJgl+UwhbBuX71ddgQT29hetN3MDlui0L2sFONUOHsnpqo6jaYEFi0C
H3Qs/XXqUnKBTUY2R3TBtyoXnfIeHGKqygtQU9qTwbf27COsmcfb1nmqu0LO8opEfo/r8gbo7Ix4vfVUJ/uIJYEnEP1oRjq8FSOI8pXDzeXq5i7G1/CNnURCQnxuMK2MUMvthRoGwJRP9l6syy2dRg8
iJgs4N1A28gz8HExatsZ+Ald/gyrGlzErIZiXUP/Tl3cHoW83is2w==</ds:SignatureValue>
  <ds:KeyInfo> 
  <ds:X509Data> 
<ds:X509Certificate>MIICMTCCAiWgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoM
CE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEyMDQxMDE3MTgyN1oXDTE3MDQxMDE3MTgyN1owZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3Ju
aWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDE
a+VTNiwzCU5yBXQ0OkdJdEJOwVmtv/dEp9E+t0O5oeY5PFhC6juNTMc+fJlDAfKILK3VpBAvGXwkFhDJUfrlGC0kOtVJEqywOBkj5d1Pj7uUOm0SEPHk81mIXO8xt56p0KTect2tw2+d3Uy4QZxPBs
N+rUiOsoI2mDtpx5GaobE/0qvieUok39UBb1S2crJqh0YESF3ulUM7WMgejNNExsBYxNujjvu9x1+L7hcn6ag7J0+xizoKVpbAGDe6Z9b/8drzi/YYqUQSQDpPU1h21Xs6U6QN0v7J24PfJCC0edI/dWa
2Xyw2RL1eN+cHV0ny/cZVpIp2mF8SAzBtbnLDAgMBAAEwAwYBAAMBAA==
  </ds:X509Certificate> 
  </ds:X509Data> 
  </ds:KeyInfo> 
  </ds:Signature> 
  <saml:Subject> 
  <saml:NameID Format="urn:oasis:names:tc:SAML:2.   0:nameid-format:transient">gvenkatesan</saml:NameID> 
  <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.   0:cm:bearer"> 
  <saml:SubjectConfirmationData NotOnOrAfter="2013-07-09T17:17:49Z" Recipient="{recipient}" 
InResponseTo="_369baf53-bd54-439b-9716-83c4454b9e8d"/>
  </saml:SubjectConfirmation> 
  </saml:Subject> 
  <saml:Conditions NotBefore="2013-07-09T17:11:49Z" NotOnOrAfter="2013-07-09T17:17:49Z"> 
  <saml:AudienceRestriction> 
  <saml:Audience>{audience}</saml:Audience> 
  </saml:AudienceRestriction> 
  </saml:Conditions> 
  <saml:AuthnStatement AuthnInstant="2013-07-09T17:14:48Z" SessionNotOnOrAfter="2013-07-10T17:14:49Z" SessionIndex="_fc0bf430-cae8-0130-5b4d-782bcb56fcaa"> 
  <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.   0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> 
  </saml:AuthnContext> 
  </saml:AuthnStatement> 
  </saml:Assertion> 
</samlp:Response>