Okta SAML and SCIM Integration

Integrating Lucidchart with Okta enables your users to authenticate using SAML single sign-on through Okta. Furthermore, our SCIM integration allows admins to create users and provision and deprovision users within Okta itself, without having to sign in to Lucidchart. The following tutorial walks through the process of integrating Okta with Lucidchart. You will need admin privileges in both Okta and Lucidchart to complete this integration.

These features are only available to Enterprise accounts. To upgrade your account, check out our pricing page or contact our sales team.

To configure SAML or SCIM with Okta for your Lucidchart account, you must first add the Lucidchart application to your Okta instance. To do so, go to the Admin section of your Okta account and click “Add Application." Search for the Lucidchart app, then click "Add." The app will appear under your active applications list and you can begin assigning it to end users.

assign_lucidchart_app_to_users_okta.png

You can configure sign-on and provisioning for Lucidchart in the Applications Page. See the sections below for more information.

manage_okta_lucidchart_app.png
After you have added the Lucidchart app to Okta, you can configure the SAML integration so that end users on your Okta instance can authenticate using SAML sign-on through Okta. To configure SAML with Okta, follow these steps:
  1. In the General Settings section of the Lucidchart app in Okta, enter your domain name. Be sure to enter just your domain (rather than a full URL.) For example, if your Sign in URL is https://www.lucidchart.com/saml/sso/helpcenterdemo.com, you can enter helpcenterdemo.com. This will have to exactly match the Domain that you enter in Lucidchart is Step 6. Click "Next."

    enter_domain_name_for_lucidchart_app_in_okta_.png

  2. On the Sign On Options page, change the selection from "Secure Web Authentication" to "SAML 2.0," and set the Application User Name. Note that Lucidchart only accepts valid email addresses as usernames. Click "Done."

    sign_on_methods_in_okta_.png
  3. Return to the Sign On section of Okta and click "Identity Provider metadata" to access the Okta metadata. An XML file will open in a new window with metadata containing instructions that Lucidchart will need to communicate with Okta. Download this XML file to your device. You will upload it to Lucidchart.

    click_identity_provider_metadata.png
  4. In Lucidchart, navigate to the Identity Management section of your admin panel by clicking Team > Identity Management. Check the box next to "Allow SAML authentication," then click "Save Changes."

    lucidchart_identity_management_allow_saml.png
  5. On the same page, click "Configure" to navigate to your SAML Activation page in Lucidchart.

    configure_saml_button.png
  6. Under "Lucidchart Sign in URL," enter your Domain name. This must match what you entered in the General Settings section in Okta. Click "Save Changes."

    enter_domain_name_saml_activation_in_lucidchart.png

  7. Scroll down in the SAML Activation page of Lucidchart and click "Add Identity Provider." Upload the XML file that you downloaded from Okta.

    add_identity_provider_lucidchart.png

    The metadata will populate the following fields:

    metadata_populates_lucidchart.png
  8. Click "Test SAML connection" to verify that Lucidchart is properly communicating with Okta. Note that the connection will only work if the Lucidchart app has been assigned to your test user in Okta. You can assign the app to users in the Assignments section of the app page.
Once you have configured SAML with Okta for your Lucidchart account, you can set up Just-In-Time provisioning so that users assigned Lucidchart access in Okta who do not have a Lucidchart account will have an account created for them upon their first log in.

You can set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
  • If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to "Automatically grant license."
  • If you want all users to come in as view-only users, set the setting for "When a new user joins a team"" to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses be automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.

    Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
If you would like to create Lucidchart users before their first log-in and determine their license type (full-edit vs. view-only) through Okta, you can set up the Lucidchart SCIM integration.

Before configuring SCIM, please do the following:
  • Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please see our pricing page.
  • Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
  • Make sure that auto-upgrade is enabled in your Licensing settings. You will be unable to generate a bearer token to configure SCIM if this setting is not enabled. You will want to turn off auto-upgrade after generating a bearer token to prevent unwanted licensing during the configuration process.
Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don't hesitate to reach out!

Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in Okta by following these steps:
  1. In Okta, go to your Provisionings tab and click Configure API Integration > Enable API Integration. A text field will appear that you will populate with a code genereted by Lucidchart (see next step).

    enable_API_integration_text_field_okta.png
  2. Open Lucidchart in a new window and go to Team > App Integration > SCIM. Click "Generate token." Lucidchart will populate the "Bearer Token" text field with a unique code for you to share with Okta.

    generate_scim_bearer_token.png

    After this step, please disable the auto-grow setting in your Lucidchart licensing settings page to prevent un-wanted licensing from taking place during the remainder of the configuration process. Once you have confirmed that your SCIM connection points are properly set up, you will want need to re-enable auto-grow for user provisioning and licensing to take place.
  3. Back in Okta, paste the bearer token generated by Lucidchart into the API token field. Click "Save."
Once the Lucidchart-Okta connection is established, you can select the integration points you would like to enable for SCIM and start using the SCIM connection to create users and assign licenses to them. See the sections below for further information.
After configuring SCIM for your Lucidchart app in Okta, you can enable the following connection points:
  • Create Users
    When this connection point is enabled, users will be created in Lucidchart when the app is assigned to them in Okta.
  • Update User Attributes
    When this connection point is enabled, a user's attributes will be updated in Lucidchart when the app is assigned to them and any future attribute changes will automatically be synced to Lucidchart.
  • Deactivate Users
    This connection point allows you to deactivate a user's Lucidchart account when it the Lucidchart app is unassigned from them in Okta. Accounts will be reactivated when the app is reassigned.
  • Group Management
    Lucidchart supports group management through Okta's SCIM connector, so you can create, update, and deactivate groups directly in the IDP.
After configuring SCIM, you can use group attributes in Okta to assign licenses and roles to users on your Lucidchart team.
  • To define a user’s license type, you will use the boolean canEdit attribute. Lucidchart will expect this attribute to be true, false, or undefined in the user attributes.
  • To define a user's role, you will use the strings "Team Admin" and "Billing Admin." To specify users as Team & Billing Admins, you will need to assign multiple roles to the users or groups rather than a single role with a concatenated string.
  • Please note: If you use groups to assign the canEdit attribute to a user, you cannot assign a role to that same user individually.
Note: The following steps outline a potential set-up method for determining users' license types in Okta. These steps can serve as a framework for using group attributes in Okta to assign other attributes to Lucidchart users.

To create fully-licensed Lucidchart users in Okta via SCIM, follow these steps:
  1. Create a group in Okta for full-edit users and assign the Lucidchart app to it.
  2. Set the group’s canEdit attribute to True.
  3. Add any users to the group who you would like to recieve full-edit Lucidchart licenses.
  4. Refresh the User page of your Lucidchart admin panel in Lucidchart. The users added to the Okta group will appear in your user list. If you click on one of the users' rows, you can confirm that they are a licensed Lucidchart user.
To create view-only Lucidchart users in Okta via SCIM, follow these steps:
  1. Create a group in Okta for view-only users and assign the Lucidchart app to it.
  2. Set the group’s canEdit attribute to False.
  3. Add any users to the group who you would like to recieve view-only Lucidchart licenses.
  4. Refresh the User page of your Lucidchart admin panel in Lucidchart. The users added to the Okta group will appear in your user list. If you click on one of the user’s rows, you can confirm that are not licensed users.
Lucidchart now supports Group Push with Okta, which allows admins to push groups from Okta to Lucidchart as well as manage groups that were created in Lucidchart through Okta. For more information on Group Push, see Okta's documentation on Using Group Push and Enhanced Group Push.

If you would like to enable Group Push and your Lucidchart app is already set up with SCIM, you will have to re-authenticate to Lucidchart's SCIM API. To do this, follow these steps:
  1. Log in to your Okta org as an admin
  2. Open the Admin UI
  3. Open your Lucidchart app instance
  4. Go to the Provisioning tab
  5. On the Settings section, click "Integration"
  6. Click "Edit" and then "Test API Credentials," then click "Save." The new SCIM features should now be enabled for your Lucidchart app.



Related Articles

Lucidchart and SAML
Active Directory Federation Services (ADFS) SAML Integration
Azure SAML and SCIM Integration
OneLogin SAML and SCIM Integration