Azure SAML and SCIM Integration

Integrating Lucidchart with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP. The following tutorial walks through the process of integrating Azure with Lucidchart.

The Azure SAML and SCIM integration is only available to Enterprise Accounts. To upgrade, please contact our sales team.

Note: You will need admin privileges in both Azure and Lucidchart to set up this integration.

  1. Add the Lucidchart Enterprise application to your Azure instance.
  2. Select "Configure single sign-on" from the "Quick start" menu.

    Configure single sign-on
  3. Select "SAML-based Sign on" for the "Single Sign-on Mode."

    SAML-based single sign-on
  4. Enter "https://lucidchart.com/saml/sso/" followed by your company domain into the "Sign on URL" text field (e.g."https://lucidchart.com/saml/sso/acme.com").

    Sign-on URL
  5. Enter "lucidchart.com" as the "Identifier."

    Lucidchart as Identifier
  6. Confirm that "user.userprincipalname" is the "User Identifier."

    Confirm User Identifier
  7. Select "Save" at the top of the page.
  8. Select "Metadata XML" under the "SAML Signing Certificate" to download the IDP metadata. You will upload this file to Lucidchart in step 12.

    SAML Signing Certificate
  9. In Lucidchart, navigate to the Identity Management section of your Admin panel by clicking Team > Identity Management. Check the box next to “Allow SAML authentication,” then click “Save Changes.”

    allow_saml_for_azure.png
  10. On the same page, click “Configure” to navigate to your SAML activation page in Lucidchart.

    configure_saml_for_azure.png
  11. Under “Lucidchart Sign in URL,” enter your Domain name. Note: This must match what you entered in Azure in Step 2. Click “Save Changes.”

    add_domain_for_saml_azure.png

  12. Scroll down in the SAML Activation page of Lucidchart and click “Add Identity Provider.” Upload the .xml file that you downloaded from Azure in step 8.

    idp_metadata.png
  13. Click “Test SAML connection” to verify that Lucidchart is properly communicating with Azure. Note: The connection will only work if the Lucidchart app has been assigned to your test user in Azure. You can assign the app to users in the Assignments section of the app page.
Once you have configured SAML with Azure for your Lucidchart account, you can set up Just-In-Time provisioning so that users assigned Lucidchart access in Azure who do not have a Lucidchart account will have an account created for them upon their first log in.

To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Lucidchart application page within Azure. From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Lucidchart application.

You can then set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
  • If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
  • If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
You can enable SCIM with Azure by following the steps below. Please note that the Lucidchart app for Azure supports auto-provisioning with SCIM but not auto-licensing. This means that you can use SCIM to create Lucidchart users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only). Please see the Auto-Provisioning and Auto-Licensing article for more information about this distinction.

Before configuring SCIM, you will need to do the following:
  • Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please contact our sales team.
  • Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
Note: You CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!

Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in Azure by following these steps:
  1. In Lucidchart, go to Team > App Integration > SCIM.
  2. Click “generate token.” Lucidchart will populate the “Bearer Token” text field with a unique code for you to share with Azure.

    azure_generate_token.png

  3. In Azure, go to the Provisioning tab and use the Lucidchart Base URL and Bearer token to configure SCIM for the Lucidchart Azure app.
What are the benefits of integrating with SAML?
Lucidchart’s SAML integration allows users on your Lucidchart team to authenticate quickly and securely. Additionally, if you enable user provisioning, a SAML connection will create users in Lucidchart automatically upon their first log-in if they are assigned the Lucidchart app in your IDP.

What can I do with the Azure SCIM connection?
The Azure SCIM connection supports auto-provisioning, which means you can use SCIM to create Lucidchart users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only).

What is the difference between Microsoft SSO and Azure SAML Sign-On?
Microsoft SSO and Azure SAML are both managed from the Azure portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).


Related Articles
Lucidchart and SAML
Active Directory Federation Services (ADFS) SAML Integration
Okta SAML and SCIM Integration
OneLogin SAML and SCIM Integration