Integrating Lucidchart with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP. The following tutorial walks through the process of integrating Azure with Lucidchart.
The Azure SAML and SCIM integration is only available to Enterprise accounts. To upgrade, please contact our sales team.
Note: You will need admin privileges in both Azure and Lucidchart to set up this integration.
- Add the Lucidchart Enterprise application to your Azure instance.
- In Lucidchart, navigate to the Identify Management section of your Admin panel by clicking Team > Identity Management. Check the box next to Allow SAML authentication, then click Save Changes
If you would like to set SAML as the default authentication method for users on your account (i.e. what they encounter when they click “next” after typing their email address into the log in page), you can do so in the Default authentication dropdown below.
- On the same page, click Configure to navigate to your SAML activation page in Lucidchart.
- Under Lucidchart Sign in URL, enter your Domain name, then click Save Changes.
- In Azure, navigate to Single Sign-on > Configure Single sign-on.
- Under Single Sign-on Mode, select SAML-based Sign on.
- Enter "https://www.lucidchart.com/saml/sso/" followed by your Domain name (the same one you entered into Lucidchart in the previous step) into both the Sign on URL and the ACS URL text fields (e.g."https://www.lucidchart.com/saml/sso/acme.com"). Note: Azure makes you configure the sign on url with a www. after your https://
Note: The ACS and sign on URLs are going to be the same. The sign on URL is used to create an IDP-initiated sign on. The Lucidchart button in Azure will direct users to this URL. The ACS URL works as a reply URL and specifies where to send the SAML response.
- Enter lucidchart.com into the Identifier field.
- Confirm that user.userprincipalname is the User Identifier. All basic attributes and claims should be set up already by default.
- Click Save at the top of the page.
- Select Metadata XML under the SAML Signing Certificate to download the IDP metadata. You will upload this file to Lucidchart in the next step..
- Back in Lucidchart, scroll down in the SAML Activation page of Lucidchart and click Add Identity Provider. Upload the .xml file that you downloaded from Azure in the previous step.
- Click Test SAML connection to verify that Lucidchart is properly communicating with Azure. Note: The connection will only work if the Lucidchart app has been assigned to your test user in Azure. You can assign the app to users in the Assignments section of the app page.
To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Lucidchart application page within Azure. From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Lucidchart application.
You can then set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
- If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
- If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Before configuring SCIM, you will need to do the following:
- Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please contact our sales team.
- Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in Azure by following these steps:
- In Lucidchart, go to Team > App Integration > SCIM.
- Click “generate token.” Lucidchart will populate the “Bearer Token” text field with a unique code for you to share with Azure.
- In Azure, go to the Provisioning tab and use the Lucidchart Base URL and Bearer token to configure SCIM for the Lucidchart Azure app.
Lucidchart’s SAML integration allows users on your Lucidchart team to authenticate quickly and securely. Additionally, if you enable user provisioning, a SAML connection will create users in Lucidchart automatically upon their first log-in if they are assigned the Lucidchart app in your IDP.
What can I do with the Azure SCIM connection?
The Azure SCIM connection supports auto-provisioning, which means you can use SCIM to create Lucidchart users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only).
What is the difference between Microsoft SSO and Azure SAML Sign-On?
Microsoft SSO and Azure SAML Sign-On are both managed from the Azure portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).