SSO Configuration

Supported Identity Providers

Any SAML 2.0 or OpenID Connect (OIDC) compliant identity provider is supported.

SAML 2.0 Configuration

1. Get Lucaro Service Provider Details

Navigate to Workspace Settings → Authentication → SSO to find:

2. Configure Your Identity Provider

Create a new SAML application in your IdP and configure it with the Lucaro SP details. Map the following attributes:

3. Upload IdP Metadata

Upload your IdP's metadata XML or manually enter the SSO URL and certificate:

{
  "sso_type": "saml",
  "idp_metadata_url": "https://your-idp.com/app/xxx/sso/saml/metadata",
  // OR provide individual values:
  "idp_sso_url": "https://your-idp.com/app/xxx/sso/saml",
  "idp_certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}

Role Mapping

Map IdP groups to Lucaro roles for automatic role assignment:

{
  "role_mapping": {
    "Analytics Admins": "admin",
    "Data Team": "editor",
    "Business Users": "viewer"
  },
  "default_role": "viewer"
}

Just-in-Time Provisioning

Enable JIT provisioning to automatically create Lucaro accounts for new SSO users:

• Users are created on first SSO login
• Roles are assigned based on group mapping
• User attributes are updated on each login
• Optionally restrict to specific email domains

Testing SSO

1. Save your SSO configuration
2. Click Test Connection to verify the setup
3. Log in with a test user account
4. Verify the user is created with correct role
5. Enable Enforce SSO to require SSO for all users