OneLogin SAML and SCIM Integration

Integrating Lucidchart with OneLogin enables your users to securely authenticate using SAML single sign-on through OneLogin. The SCIM integration allows admins to create users and provision and de-provision users within OneLogin itself, without having to sign in to Lucidchart. You will need admin privileges in both Lucidchart and OneLogin to complete this process.

SAML and SCIM are only available to Enterprise accounts. To upgrade, please contact our sales team.

  1. Add the Lucidchart application to your OneLogin instance.
  2. In OneLogin, go to the Configuration tab and enter your domain under “Application details,” then click “Save.”

    add_domain_to_onelogin.png

    Note: The domain you enter here must match the domain you enter in Lucidchart in step 7.
  3. Go to the SSO tab and specify a SHA-256 encryption.

    SHA-256_encryption.png
  4. Click More Actions > SAML Metadata to download the OneLogin metadata. This will download as an .xml file with metadata containing instructions that Lucidchart will need to communicate with OneLogin. You will upload this file to Lucidchart in step 8.

    download_saml_metadata.png
  5. In Lucidchart, navigate to the Identity Management section of your Admin panel by clicking Team > Identity Management. Check the box next to “Allow SAML authentication,” then click “Save Changes.”

    allow_saml_authentication.png
  6. On the same page, click “Configure” to navigate to your SAML activation page in Lucidchart.

    configure_saml.png
  7. Under “Lucidchart Sign in URL,” enter your Domain name. Note: This must match what you entered in OneLogin in Step 2. Click “Save Changes.”

    saml_activation_screenshot.png
  8. Scroll down in the SAML Activation page of Lucidchart and click “Add Identity Provider.” Upload the .xml file that you downloaded from OneLogin in step 4. The metadata will populate the following fields:

    metadata_populated_fields.png
  9. Click “Test SAML connection” to verify that Lucidchart is properly communicating with OneLogin. Note: The connection will only work if the Lucidchart app has been assigned to your test user in OneLogin. You can assign the app to users in the Assignments section of the app page.
Once you have configured SAML with OneLogin for your Lucidchart account, you can set up Just-In-Time provisioning so that users assigned Lucidchart access in OneLogin who do not have a Lucidchart account will have an account created for them upon their first log in.

You can set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
  • If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to "Automatically grant license."
  • If you want all users to come in as view-only users, set the setting for "When a new user joins a team" to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses be automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.

    Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
If you would like to create Lucidchart users before their first log-in and determine their license type (full-edit vs. view-only) through OneLogin, you can set up the Lucidchart SCIM integration.

Before configuring SCIM, please do the following:
  • Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please contact our sales team.
  • Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
  • Make sure that auto-upgrade is enabled in your Licensing settings. You will be unable to generate a bearer token to configure SCIM if this setting is not enabled. You will want to turn off auto-upgrade after generating a bearer token to prevent unwanted licensing during the configuration process.
Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!

Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in OneLogin by following these steps:
  1. In OneLogin, go to your Provisionings tab and click “Enable” under “API Connection.”

    enable_api_connection.png
  2. Open Lucidchart in a new window and go to Team > App Integration > SCIM.

    scim_tile_lucidchart.png
  3. Copy the Lucidchart Base URL and paste it into the "SCIM Base URL" text box in OneLogin.

    scim_base_url_in_lucidchart.png

    scim_base_url_from_lucidchart.png
  4. In Lucidchart, click "Generate token." Lucidchart will populate the “Bearer Token” text field with a unique code for you to share with OneLogin.

    click_generate_token.png
  5. Copy the bearer token from Lucidchart and paste it into the "SCIM Bearer Token" text box in OneLogin.

    copy_bearer_token_from_lucidchart.png

    bearer_token_pasted_from_lucidchart.png
Using rules in OneLogin, you can specify what Lucidchart license type (full-edit or view-only) will be assigned to users based on OneLogin user attributes. You will use conditions to specify subsets of users and actions to specify the license assignment.

To provision a subset of your OneLogin users with full-edit licenses, follow these steps:
  1. Go to the Rules tab in OneLogin and click "Add Rule."

    add_rule.png
  2. Add a condition that specifies the subset of users you would like to provision with full-edit licenses (eg. Department = Customer Operations).

    new_mapping.png
  3. Under "Actions," select "Set User can edit charts in Lucidchart" from the first dropdown and "Yes - Licensed User" from the second dropdown.
  4. Click "Save."
  5. Go to provisioning tab and check the box next to “enable provisioning.”
  6. Go to the More Actions menu and click “reapply provisioning mapping” to apply the new rule.
Please note:
  • You must reapply mappings any time you create or update users.
  • OneLogin applies rules using standard order of operations guidelines. The order in which rules are applied can impact your results. You can change the order of rules by clicking and dragging them.
  • If you are not using canEdit to assign licenses, make sure that “Include in User Provisioning” is not enabled under Parameters > User can edit charts.
What are the benefits of integrating with SAML?
Lucidchart’s SAML integration allows users on your Lucidchart team to authenticate quickly and securely. Additionally, if you enable user provisioning, a SAML connection will create users in Lucidchart automatically upon their first log-in if they are assigned the Lucidchart app in your IdP.

What can I do with the OneLogin SCIM integration?
With the SCIM integration, you can sync user information between Lucidchart and OneLogin and make changes to users in your Lucidchart account directly in OneLogin. Some things you can do with this integration include creating, licensing, deactivating, and updating attributes to users on your Lucidchart Enterprise account.

What license types are available to users on my Lucidchart team?
Lucidchart offers two license types for users on Enterprise accounts: View-Only and Full-Edit. For more information on these license types, please see the Enterprise Licensing Help Center article.

Does Lucidchart support group management through OneLogin?
Yes! Please see OneLogin’s group management page for more information.



Related Articles

Lucidchart and SAML
Active Directory Federation Services (ADFS) SAML Integration
Okta SAML and SCIM Integration
Azure SAML and SCIM Integration