Azure SAML and SCIM Integration

Integrating Lucidchart with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP. The following tutorial walks through the process of integrating Azure with Lucidchart.

The Azure SAML and SCIM integration is only available to Enterprise accounts. To upgrade, please contact our sales team.

Note: You will need admin privileges in both Azure and Lucidchart to set up this integration.

  1. Add the Lucidchart Enterprise application to your Azure instance.
  2. In Lucidchart, navigate to the Identity Management section of your Admin panel by clicking Team > Identity Management. Check the box next to Allow SAML authentication, then click Save Changes

    If you would like to set SAML as the default authentication method for users on your account (i.e. what they encounter when they click “next” after typing their email address into the log in page), you can do so in the Default authentication dropdown below.

  3. On the same page, click Configure to navigate to your SAML activation page in Lucidchart.

  4. Under Lucidchart Sign in URL, enter your Domain name, then click Save Changes.

  5. In Azure, navigate to Single Sign-on > Configure Single sign-on.
  6. Under Single Sign-on Mode, select SAML-based Sign on.
  7. Your Basic SAML Configuration settings in Azure should look like the below.  The www. ACS URL should be the default and you will need to add the app. ACS URL to account for your Sign on URL that is generating the SAML traffic from Lucidchart.
  8. Confirm that user.userprincipalname is the User Identifier.  All basic attributes and claims should be set up already by default.
  9. Click Save at the top of the page.
  10. Select Metadata XML under the SAML Signing Certificate to download the IDP metadata. You will upload this file to Lucidchart in the next step..
  11. Back in Lucidchart, scroll down in the SAML Activation page of Lucidchart and click Add Identity Provider. Upload the .xml file that you downloaded from Azure in the previous step.

  1. Click Test SAML connection to verify that Lucidchart is properly communicating with Azure. Note: The connection will only work if the Lucidchart app has been assigned to your test user in Azure. You can assign the app to users in the Assignments section of the app page.
Once you have configured SAML with Azure for your Lucidchart account, you can set up Just-In-Time provisioning so that users assigned Lucidchart access in Azure who do not have a Lucidchart account will have an account created for them upon their first log-in.

To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Lucidchart application page within Azure. From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Lucidchart application.

You can then set up Just-In-Time provisioning in the Lucidchart Licensing Settings section of your Lucidchart admin panel.
  • If you would like all users to come onto your Lucidchart team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
  • If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
You can enable SCIM with Azure by following the steps below. Please note that the Lucidchart app for Azure supports auto-provisioning with SCIM but not auto-licensing. This means that you can use SCIM to create Lucidchart users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only). Please see the Auto-Provisioning and Auto-Licensing article for more information about this distinction.

Before configuring SCIM, you will need to do the following:
  • Confirm that you are on an Enterprise account with an up-to-date pricing plan. To upgrade, please contact our sales team.
  • Contact your Lucidchart Customer Success Manager so that they can enable SCIM for your account.
Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!

Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidchart in Azure by following these steps:
  1. In Lucidchart, go to Team > App Integration > SCIM.
  2. Click “generate token.” Lucidchart will populate the “Bearer Token” text field with a unique code for you to share with Azure.

  3. In Azure, go to the Provisioning tab and use the Lucidchart Base URL and Bearer token to configure SCIM for the Lucidchart Azure app.
What are the benefits of integrating with SAML?
Lucidchart’s SAML integration allows users on your Lucidchart team to authenticate quickly and securely. Additionally, if you enable user provisioning, a SAML connection will create users in Lucidchart automatically upon their first log-in if they are assigned the Lucidchart app in your IDP.

What can I do with the Azure SCIM connection?
The Azure SCIM connection supports auto-provisioning, which means you can use SCIM to create Lucidchart users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only).

What is the difference between Microsoft SSO and Azure SAML Sign-On?
Microsoft SSO and Azure SAML Sign-On are both managed from the Azure portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).

Related Articles
Lucidchart and SAML
Active Directory Federation Services (ADFS) SAML Integration
Okta SAML and SCIM Integration
OneLogin SAML and SCIM Integration