SAML and SCIM: An Overview

Lucidchart offers SAML and SCIM integrations to Enterprise accounts so that admins can easily manage the users on their Lucidchart teams using their IDPs. To upgrade to an Enterprise account, please visit our pricing page or contact our sales team.

Lucidchart’s SAML integration allows you to connect Lucidchart to your IDP so that users on your account can quickly and securely authenticate through your IDP using SAML SSO. You can also configure your team's settings so that users are automatically created in Lucidchart when they sign in for the first time after they are assigned the Lucidchart app in your IDP.
Lucidchart’s SCIM integration allows you to sync user information between Lucidchart and your IDP, allowing you to make changes to users in your Lucidchart account directly in your IDP.

Here are some of the things that the SCIM integration allows you to do:
  • Create users in your Lucidchart account without them having to log in
  • Update user attributes
  • Provision and de-provision users
  • Deactivate users, meaning they will no longer have a license, be able to log in, or have access to any documents
  • Define licenses for users

The purpose of this article is to walk you through setting up a SAML connection within Lucidchart. We will cover the general info and link to resources that cover specific IDP's before covering advanced set ups.

Downloading Lucidchart Service Provider Metadata:

SAML App integration

  1. In Lucidchart, click Team > App Integration > SAML.
  2. Enter what you intended to use as your IDP entity ID in the domain text box. The SAML integration will use your domain to generate a Lucidchart sign-in URL that you will supply to your IDP. A user may go directly to this URL to initiate SAML SSO. Make sure to just enter the domain, not the full URL. For example, if you were to enter 'acme.com' as your domain, the URL will be https://app.lucidchart.com/saml/sso/acme.com. A user may go directly to this URL to initiate SAML single sign-on.
  3. Download the metadata in the bottom right-hand corner. (If your application uses OID naming conventions please click the OID checkbox before generating the metadata) 

 

Setting Up a Lucidchart SAML 2.0 connection in your IDP:

The basic information needed to set up a SAML connection in your IDP:

SP identifier/entityID/audience restriction: lucidchart.com
Sign on URL: https://app.lucidchart.com/saml/sso/<yourdomain>
ACS/Reply URL primary Index = 0: https://www.lucidchart.com/saml/sso/<yourdoamin>
ACS/Reply URL secondary Index =1: (this is only needed for accounts that use federated SAML metadata) https://app.lucidchart.com/saml/sso/<yourdomain>     
SSO Service Binding: We default to POST, but can work with REDIRECT (please contact us if you are using REDIRECT)
Digest Algorithm: SHA-256
nameID: We prefer working with email, but can work with other values 

 

 Attribute Statement:

Value Name

Accepted naming convention  OID naming convention 
email user.email   urn:oid:0.9.2342.19200300.100.1.3 
first name user.firstname  urn:oid:2.5.4.42 
last name user.lastname urn:oid:2.5.4.4 

 

Adding IDP metadata to Lucidchart and testing your SAML connection:

  1. Upload your metadata to Lucidchart at the SAML configuration in the Lucidhcart admin panel (we only accept XML files, so you may need to convert your text to an XML file) 
  2. Once the metadata is uploaded you can use the Test SAML Connection button below the populated metadata to run a simulated SP sign-on. 

Test_SAML_Connection.png

 

SAML Standards and pre-built IDP apps 

We support the SAML 2.0 standard and offer Product Support for that standard.  Additionally, we have several pre-built IDP apps that we have partnered with those IDP to offer.  We directly support the functionality of these apps.

Prebuilt IDP Apps we directly support:

  • Azure 
  • Okta 
  • OneLogin
Before you can configure SCIM with you Lucidchart account, please ensure the following:
  • You are on an Enterprise subscription with an up-to-date pricing plan
  • Your account has auto-uprades enabled. See the Licensing Setting article for instructions on how to adjust this setting
Follow these steps to configure SCIM for your Lucidchart account:
  1. Add the Lucidchart SCIM app to your IDP
  2. In Lucidchart, navigate to Team > App Integration > SCIM
  3. Click “generate token.” Doing so will generate a unique token to be shared between Lucidchart and your IDP. This bearer token will be used to authenticate requests. Copy this bearer token to your clipboard.
  4. Configure your IDP to use SCIM with the bearer token and base URL provided by Lucidchart.

The attributes we expect to receive are:

  • first name
  • last name
  • email

There are two naming conventions that we support for receipt of these attributes:

  • User.FirstName
  • User.LastName
  • User.Email

or the OID format:

  • urn:oid:2.5.4.42 (first)
  • urn:oid:2.5.4.4 (last)
  • urn:oid:0.9.2342.19200300.100.1.3 (email)

We also strongly prefer that the email be sent in the NameId field, but can work with other values if required.



Related Articles
Active Directory Federation Services (ADFS) SAML Integration
Okta SAML and SCIM Integration
Azure SAML and SCIM Integration
OneLogin SAML and SCIM Integration