Integrating Lucidchart with Okta enables your users to authenticate using SAML single sign-on through Okta. Furthermore, our SCIM integration allows admins to create users and provision and deprovision users within Okta itself, without having to sign in to Lucidchart. The following tutorial walks through the process of integrating Okta with Lucidchart. You will need admin privileges in both Okta and Lucidchart to complete this integration.
You can configure sign-on and provisioning for Lucidchart in the Applications Page. See the sections below for more information.
- In the General Settings section of the Lucidchart app in Okta, enter your domain name. Be sure to enter just your domain (rather than a full URL.) For example, if your Sign in URL is https://www.lucidchart.com/saml/sso/helpcenterdemo.com, you can enter helpcenterdemo.com. This will have to exactly match the Domain that you enter in Lucidchart is Step 6. Click "Next."
- On the Sign On Options page, change the selection from "Secure Web Authentication" to "SAML 2.0," and set the Application User Name. Note that Lucidchart only accepts valid email addresses as usernames. Click "Done."
- Return to the Sign On section of Okta and click "Identity Provider metadata" to access the Okta metadata. An XML file will open in a new window with metadata containing instructions that Lucidchart will need to communicate with Okta. Download this XML file to your device. You will upload it to Lucidchart.
- In Lucidchart, navigate to the Identity Management section of your admin panel by clicking Team > Identity Management. Check the box next to "Allow SAML authentication," then click "Save Changes."
- On the same page, click "Configure" to navigate to your SAML Activation page in Lucidchart.
- Under "Lucidchart Sign in URL," enter your Domain name. This must match what you entered in the General Settings section in Okta. Click "Save Changes."
- Scroll down in the SAML Activation page of Lucidchart and click "Add Identity Provider." Upload the XML file that you downloaded from Okta.
The metadata will populate the following fields:
- Click "Test SAML connection" to verify that Lucidchart is properly communicating with Okta. Note that the connection will only work if the Lucidchart app has been assigned to your test user in Okta. You can assign the app to users in the Assignments section of the app page.
You can set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
- If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to "Automatically grant license."
- If you want all users to come in as view-only users, set the setting for "When a new user joins a team"" to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses be automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
- When a new user joins a team = Do not automatically grant license
- When a user requests a license = Do not automatically grant license
Before configuring SCIM, please do the following:
- Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please see our pricing page.
- Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
- Make sure that auto-upgrade is enabled in your Licensing settings. You will be unable to generate a bearer token to configure SCIM if this setting is not enabled. You may want to turn off auto-upgrade after generating a bearer token to prevent unwanted licensing during the configuration process.
Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in Okta by following these steps:
- In Okta, go to your Provisioning tab and click Configure API Integration > Enable API Integration. A text field will appear that you will populate with a code generated by Lucidchart (see next step).
- Open Lucidchart in a new window and go to Team > App Integration > SCIM. Click "Generate token." Lucidchart will populate the "Bearer Token" text field with a unique code for you to share with Okta.
After this step, you may want to disable the auto-grow setting in your Lucidchart licensing settings page to prevent un-wanted licensing from taking place during the remainder of the configuration process. Once you have confirmed that your SCIM connection points are properly set up, you can re-enable auto-grow for user provisioning and licensing to take place.
- Back in Okta, paste the bearer token generated by Lucidchart into the API token field. Click "Save."
- Create Users
When this connection point is enabled, users will be created in Lucidchart when the app is assigned to them in Okta.
- Update User Attributes
When this connection point is enabled, a user's attributes will be updated in Lucidchart when the app is assigned to them and any future attribute changes will automatically be synced to Lucidchart.
- Deactivate Users
This connection point allows you to deactivate a user's Lucidchart account when it the Lucidchart app is unassigned from them in Okta. Accounts will be reactivated when the app is reassigned.
- Group Management
Lucidchart supports group management through Okta's SCIM connector, so you can create, update, and deactivate groups directly in the IDP.
- To define a user’s license type, you will use the boolean canEdit attribute. Lucidchart will expect this attribute to be true, false, or undefined in the user attributes.
- To define a user's role, you will use the strings "Team Admin" and "Billing Admin." To specify users as Team & Billing Admins, you will need to assign multiple roles to the users or groups rather than a single role with a concatenated string.
- Please note: If you use groups to assign the canEdit attribute to a user, you cannot assign a role to that same user individually.
To create fully-licensed Lucidchart users in Okta via SCIM, follow these steps:
- Create a group in Okta for full-edit users and assign the Lucidchart app to it.
- Set the group’s canEdit attribute to True.
- Add any users to the group who you would like to receive full-edit Lucidchart licenses.
- Refresh the User page of your Lucidchart admin panel in Lucidchart. The users added to the Okta group will appear in your user list. If you click on one of the users' rows, you can confirm that they are a licensed Lucidchart user.
- Create a group in Okta for view-only users and assign the Lucidchart app to it.
- Set the group’s canEdit attribute to False.
- Add any users to the group who you would like to receive view-only Lucidchart licenses.
- Refresh the User page of your Lucidchart admin panel in Lucidchart. The users added to the Okta group will appear in your user list. If you click on one of the user’s rows, you can confirm that are not licensed users.
If you would like to enable Group Push and your Lucidchart app is already set up with SCIM, you will have to re-authenticate to Lucidchart's SCIM API. To do this, follow these steps:
- Log in to your Okta org as an admin
- Open the Admin UI
- Open your Lucidchart app instance
- Go to the Provisioning tab
- On the Settings section, click "Integration"
- Click "Edit" and then "Test API Credentials," then click "Save." The new SCIM features should now be enabled for your Lucidchart app.