Integrating Lucidpress with Azure enables your users to authenticate using SAML single-sign on through Azure. Azure also offers a SCIM connection that allows you to provision users in your IDP
Configure the SAML Integration for Lucidpress via Azure Portal
- Add the Lucidpress Enterprise application to your Azure instance.
- In Lucidpress, navigate to the Identity Management section of your Admin panel by clicking Admin > Identity Management. Check the box next to Allow SAML authentication, then click Save Changes
If you would like to set SAML as the default authentication method for users on your account (i.e. what they encounter when they click “next” after typing their email address into the log in page), you can do so in the Default authentication dropdown below.
- On the same page, click Configure to navigate to your SAML activation page in Lucidpress.
- Under Lucidpress Sign in URL, enter your Domain name, then click Save Changes.
- In the Azure Lucidpress Enterprise Application, navigate to Single Sign-on > Configure Single sign-on.
- Under Single Sign-on Mode, select SAML-based Sign on.
- Your Basic SAML Configuration settings in Azure should look like the below.
SP identifier/entityID/audience restriction: lucidpress.com Sign on URL: https://www.lucidpress.com/saml/sso/<yourdomain> ACS/Reply URL primary Index = 0: https://lucidpress.com/saml/sso/<yourdomain> ACS/Reply URL secondary Index =1: (this is only needed for accounts that use federated SAML metadata) https://www.lucidpress.com/saml/sso/<yourdomain> SSO Service Binding: We default to POST, but can work with REDIRECT (please contact us if you are using REDIRECT) Digest Algorithm: SHA-256 nameID: We prefer working with email, but can work with other values
- Confirm that user.userprincipalname is the User Identifier. All basic attributes and claims should be set up already by default.
- Click Save at the top of the page.
- Select Metadata XML under the SAML Signing Certificate to download the IDP metadata. You will upload this file to Lucidpress in the next step..
- Back in Lucid, scroll down in the SAML Activation page of Lucidpress and click Add Identity Provider. Upload the .xml file that you downloaded from Azure in the previous step.
- Click Test SAML connection to verify that Lucidpress is properly communicating with Azure. Note: The connection will only work if the Lucidpress app has been assigned to your test user in Azure. You can assign the app to users in the Assignments section of the app page.
Adding a Lucidpress Linked Enterprise Application via Azure Portal
While we will rely on the Lucidpress Enterprise Application in Azure to authenticate your users into Lucidpress, should you want your users to see a Gallery Enterprise Application, please follow the following steps. Please note all steps take place within Azure AD.
- Open the Enterprise Application section of the AzureAD portal. Click the + Application button at the top of your application list.
- Choose the “Non-gallery application” option, naming it Lucidpress and adding it.
- Select “Set Up Single Sign on”
- Add the sign-on URL from your Lucidpress application and paste it into the “sign-on URL” text box.
- Navigate to the Properties tab after downloading the Lucidpress logo here. There you can upload the image as an Application icon.
- Make sure you assign any users you want to see the app in their Gallery. Note, SAML access is determined by the Lucidpress app, so users must have both apps assigned to them even if that user just uses Lucidpress.
Create Users Upon Log-In with SAML
Once you have configured SAML with Azure for your Lucidpress account, you can set up Just-In-Time provisioning so that users assigned Lucidpress access in Azure who do not have a Lucidpress account will have an account created for them upon their first log-in.
To enable new user creation for users assigned to the application, you will need to navigate to the “Properties” tab in your Lucidpress application page within Azure. From there, scroll to the bottom of the page and toggle the “User Assignment request to Access Application” to “Off.” Then, select “Users and groups” from the “Manage” menu. Select and assign users and/or groups to access the Lucidpress application.
You can then set up Just-In-Time provisioning in the Licensing Settings section of your Lucidpress admin panel.
- If you would like all users to come onto your Lucidpress team with full-edit licenses, set the setting for “When a new user joins a team” to “Automatically grant license.”
- If you want all users to come in as view-only users, set the setting for “When a new user joins a team” to “Do not automatically grant.” Your users will then be able to request full-edit licenses. Depending on the “When a user requests a license” setting, you can have licenses automatically granted to users upon their request, or you can have the requests turn into pending requests in your user list.
Note: We strongly recommend that you have a custom request dialog if you have users requesting licenses from an admin.
Configure SCIM for Lucidpress with Azure
You can enable SCIM with Azure by following the steps below. Please note that the Lucidpress app for Azure supports auto-provisioning with SCIM but not auto-licensing. This means that you can use SCIM to create Lucidpress users before their first log-in but you cannot assign them a specific license type (eg. full-edit vs. view-only). Please see the Auto-Provisioning and Auto-Licensing article for more information about this distinction.
Before configuring SCIM, you will need to do the following:
- Confirm that you are on an Enterprise account with an up-to-date pricing plan.
- Contact your Lucidpress Customer Success Manager so that they can enable SCIM for your account.
Note: Your CSM would be happy to jump on a call to walk you through the SCIM configuration process, so please don’t hesitate to reach out!
Once you have followed the pre-configuration steps listed above, you can configure SCIM for Lucidpress in Azure by following these steps:
- In Lucidpress, go to Admin > App Integration > SCIM.
- Click “generate token.” Lucidpress will populate the “Bearer Token” text field with a unique code for you to share with Azure.
- In Azure, go to the Provisioning tab and use the Lucidpress Base URL and Bearer token to configure SCIM for the Lucidpress Azure app.
What is the difference between Microsoft SSO and Azure SAML Sign-On?
Microsoft SSO and Azure SAML Sign-On are both managed from the Azure portal. SAML uses SAML2.0 protocol while MS SSO uses OAuth2.0 OpenID. Generally, SAML set-ups are considered more secure because the encryption is on the transport layer (SSL).