ADFS SAML Set Up and Troubleshooting

Integrating Lucidchart with ADFS enables your users to authenticate using SAML single sign-on through ADFS. The following tutorial walks through the process of integrating ADFS with Lucidchart.

SAML integration is only available to Enterprise accounts. To upgrade your account, check out our pricing page or contact our sales team.

Get started by downloading the federation metadata and importing it into Lucidchart.

    1. Download the federation metadata. The federation metadata can be accessed on the ADFS server at the following URL, replacing [myserver.domain] to reflect your ADFS server URL:
    2. Navigate to the Lucidchart Admin Panel.
    3. Select “App Integration.” and navigate to the "SAML" option.
    4. Upload the XML metadata to Lucidchart using the file picker.  (Note: if you have this in text format please save it as an XML file then upload it to Lucidchart.)

Configure the Lucidchart Relying Party Trust in ADFS.

Next we will create and configure a Relying Party Trust using the Lucidchart metadata.

  1. From the Lucidchart SAML page, select “Download Metadata” to download the Lucidchart metadata. Save the metadata in a location accessible to the ADFS server.

    Download Metadata
  2. Open ADFS and right click on “Relying Party Trust.” Select “Add Relying Party Trust” from the menu to open the Add Relying Party Trust Wizard.

    AD FS window
  3. Click through the Welcome screen. On the Select Data Source screen, select “Import data about the relying party from a file.” Choose “Browse” and locate the Lucidchart metadata file. Complete the remaining settings based on your organization's preferences.

    Add Relying Party Trust Wizard
  4. Open the Endpoints configuration for your Lucidchart relying party trust.  You will need to add another endpoint to accommodate for ADFS storing the incoming sign-on URL against the supplied ACS/reply URL.   The settings should be: 
      • Type = SAML Consumer Assertion
      • Binding = POST (if you use REDIRECT only please contact support)
      • Index = 1
      • Trusted URL = entity ID here (this should match the app. configuration already present save for the app. to www. difference.
      • Once finished the configuration will look like this:
  5. Right-click on the Lucidchart Relying Party Trust and select “Edit Claim Rules.” Add a claim rule using LDAP and configure the claim rule to match the attributes and claim types shown below. Then click “Finish.”

    Add Transform Claim Rule Wizard

Now you have completed the ADFS SAML integration in Lucidchart, and your Lucidchart account will support SAML single sign-on authentication through ADFS.

While we hope your integration setup is a painless experience, here’s a look at how to resolve errors you may encounter.

Invalid SAML Response

This error corresponds with an incorrect SAML response from the IDP. It usually means that the hash algorithm needs to be switched from “SHA-1” to “SHA-256” in ADFS. Navigate to the Lucidchart Relying Party Trust, right click, and select “Properties.” Click the Advanced tab and switch the hash algorithm from “SHA-1” to “SHA-256.”

SAML is not configured for your team. Request an invite from a SAML enabled team.

This error appears when a user attempting to log in through SAML is not associated with the SAML enabled team. The admin will need to send an invite to the user to be accepted to the team. From the Lucidchart Admin Panel, select “Users.” Click “+User” in the top right corner and enter the user’s email.

Invalid Identity Attribute

This error indicates that an invalid identity attribute was received in the SAML response. Configure a claim attribute for the Lucidchart relying party trust where “Email-Addresses” corresponds to “Name ID” in ADFS.

Could Not Parse XML

This error indicates an incorrect syntax in the identity provider XML metadata. This can happen when downloading metadata from an Internet Explorer window. Internet Explorer will add dashes to XML tags for expanding and collapsing. You can fix this issue by either opening the XML data in a text editor or deleting all of the dashes in the copied XML text. Users Being Created

The Lucidchart SAML integration accepts 3 attributes: First Name, Last Name, and Email Address. When an invalid email address is passed from the SAML identity provider, a valid email will be generated to create the user: “passed value” + “SAML ID” + “” This often occurs when a username or given name is passed to the Email Address attribute instead of the valid email. You can resolve this issue by configuring your claim rule to send a valid email address in the Email Address attribute.

ADFS does not return a response to Lucidchart

Check the Endpoints to make sure you followed the steps listed in the ADFS set up steps. If you just have a single endpoint or have your www. endpoint indexed before your app. endpoint the response will not make back to Lucidchart.