SAML2

LUY can be set up to authenticate users via SAML2 and an identity provider (IDP).

Please contact LUY support to set up the SAML2 authentication.

Prerequisites

In order to use LUY with an identity provider (IDP) the following must be available:

• An identity provider (IDP) which allows authentication via SAML2

• A link to the metadata of the identity provider (IDP) 

• The identity provider (IDP) must send the following claims to LUY

  • Last name

  • First name

  • Login

  • E-Mail

  • Usergroups or IDs for matching the "role" in LUY

Roles

LUY matches its own roles with the user groups sent by the identity provider (IDP).

For example:
When Alice logs into LUY, her user profile indicates she belongs to both the "admin" and "employee" groups which are sent by the IDP. Within LUY, predefined roles such as "admin" and "architect" exist. Upon login, Alice's "admin" group aligns with the "admin" role in LUY, thanks to the identical naming convention. The group "employee" as well as the LUY role "architect" are ignored since there is no match for them. Alice is then assigned only the permissions of the LUY role "admin".

iTURM and REST requests

The REST interface requires basic authentication in LUY. For this, an iTurm instance is necessary.
SAML2 cannot be used for basic authentication.

Log into iTURM and create a technical user to use for basic authentication. You need a LUY role for the permissions of this user. Create or use an existing LUY role and create a role with the same name in iTURM. Then add users to this role.

Sign in with SAML2

Upon successful setup of SAML2 for LUY, the login screen will present the option to “Sign in with SSO”. Click here to access LUY.

Username and password entry are disabled in this setting.