Integrating Lucidchart with ADFS enables your users to authenticate using SAML single sign-on through ADFS. The following tutorial walks through the process of integrating ADFS with Lucidchart.
Get started by downloading the federation metadata and importing it into Lucidchart.
- Download the federation metadata. The federation metadata can be accessed on the ADFS server at the following URL, replacing [myserver.domain] to reflect your ADFS server URL:
- Navigate to the Lucidchart Admin Panel by selecting “Team” on the Lucidchart documents screen.
- Select “App Integration.”
- Select “SAML” on the integrations page.
- Select “Enable SAML Integration” at the top of the page.
- Under the Lucidchart Sign in URL section, enter your account domain. Be sure to enter just the domain, not a full URL.
- Open the federation metadata XML file using a text editor. Copy the text from the XML file, paste it into the text box under the Identity Provider Metadata section, and select “Save changes.”
Congratulations! You have now completed the SAML setup in Lucidchart. Next we will create and configure the Lucidchart Relying Party Trust in ADFS.
Next we will create and configure a Relying Party Trust using the Lucidchart metadata.
- From the Lucidchart SAML page, select “Download Metadata” to download the Lucidchart metadata. Save the metadata in a location accessible to the ADFS server.
- Open ADFS and right click on “Relying Party Trust.” Select “Add Relying Party Trust” from the menu to open the Add Relying Party Trust Wizard.
- Click through the Welcome screen. On the Select Data Source screen, select “Import data about the relying party from a file.” Choose “Browse” and locate the Lucidchart metadata file. Complete the remaining settings based on your organization's preferences.
- Right click on the recently created Lucidchart Relying Party Trust and select “Properties” from the dropdown menu. Select the Advanced tab, change the hash algorithm from “SHA-256” to “SHA-1,” and select “Apply.”
- Right click on the Lucidchart Relying Party Trust and select “Edit Claim Rules.” Add a claim rule using LDAP and configure the claim rule to match the attributes and claim types shown below. Then click “Finish.”
Now you have completed the ADFS SAML integration in Lucidchart, and your Lucidchart account will support SAML single sign-on authentication through ADFS.
While we hope your integration setup is a painless experience, here’s a look at how to resolve errors you may encounter.
Invalid SAML Response
This error corresponds with an incorrect SAML response from the IDP. It usually means that the hash algorithm needs to be switched from “SHA-256” to “SHA-1” in ADFS. Navigate to the Lucidchart Relying Party Trust, right click, and select “Properties.” Click the Advanced tab and switch the hash algorithm from “SHA-256” to “SHA-1.”
SAML is not configured for your team. Request an invite from a SAML enabled team.
This error appears when a user attempting to log in through SAML is not associated with the SAML enabled team. The admin will need to send an invite to the user to be accepted to the team. From the Lucidchart Admin Panel, select “Users.” Click “+User” in the top right corner and enter the user’s email.
Invalid Identity Attribute
This error indicates that an invalid identity attribute was received in the SAML response. Configure a claim attribute for the Lucidchart relying party trust where “Email-Addresses” corresponds to “Name ID” in ADFS.
Could Not Parse XML
This error indicates an incorrect syntax in the identity provider XML metadata. This can happen when downloading metadata from an Internet Explorer window. Internet Explorer will add dashes to XML tags for expanding and collapsing. You can fix this issue by either opening the XML data in a text editor or deleting all of the dashes in the copied XML text.
firstname.lastname@example.org Users Being Created
The Lucidchart SAML integration accepts 3 attributes: First Name, Last Name, and Email Address. When an invalid email address is passed from the SAML identity provider, a valid email will be generated to create the user: “passed value” + “SAML ID” + “@example.com.” This often occurs when a username or given name is passed to the Email Address attribute instead of the valid email. You can resolve this issue by configuring your claim rule to send a valid email address in the Email Address attribute.