Active Directory Federation Services (ADFS)
Integrating Lucidpress with ADFS enables your users to authenticate using SAML single sign-on through ADFS. The following tutorial walks through the process of integrating ADFS with Lucidpress.
Get started by downloading the federation metadata and importing it into Lucidpress.
- Download the federation metadata. The federation metadata can be accessed on the ADFS server at the following URL, replacing [myserver.domain] to reflect your ADFS server URL:
- Navigate to the Lucidpress Admin Panel by selecting “Team” on the Lucidpress documents screen.
- Select “App Integration.”
- Select “SAML” on the integrations page.
- Select “Enable SAML Integration” at the top of the page.
- Under the Lucidpress Sign in URL section, enter your account domain. Be sure to enter just the domain, not a full URL.
- Open the federation metadata XML file using a text editor. Copy the text from the XML file, paste it into the text box under the Identity Provider Metadata section, and select “Save changes.”
Congratulations! You have now completed the SAML setup in Lucidpress. Next, we will create and configure the Lucidpress Relying Party Trust in ADFS.
Next, we will create and configure a Relying Party Trust using the Lucidpress metadata.
- From the Lucidpress SAML page, select “Download Metadata” to download the Lucidpress metadata. Save the metadata in a location accessible to the ADFS server.
- Open ADFS and right click on “Relying Party Trust.” Select “Add Relying Party Trust” from the menu to open the Add Relying Party Trust Wizard.
- Click through the Welcome screen. On the Select Data Source screen, select “Import data about the relying party from a file.” Choose “Browse” and locate the Lucidpress metadata file. Complete the remaining settings based on your organization's preferences.
- Right click on the recently created Lucidpress Relying Party Trust and select “Properties” from the dropdown menu. Select the Advanced tab, make sure the hash algorithm dropdown shows SHA-256 and select “Apply.”
- Right click on the Lucidpress Relying Party Trust and select “Edit Claim Rules.” Add a claim rule using LDAP and configure the claim rule to match the attributes and claim types shown below. Then click “Finish.”
Now you have completed the ADFS SAML integration in Lucidpress, and your Lucidpress account will support SAML single sign-on authentication through ADFS.
While we hope your integration setup is a painless experience, here’s a look at how to resolve errors you may encounter.
Invalid SAML Response
This error corresponds with an incorrect SAML response from the IDP. It usually means that the hash algorithm needs to be switched from “SHA-1” to “SHA-256” in ADFS. Navigate to the Lucidpress Relying Party Trust, right click, and select “Properties.” Click the Advanced tab and switch the hash algorithm from “SHA-1” to “SHA-256.”
SAML is not configured for your team. Request an invite from a SAML enabled team.
This error appears when a user attempting to log in through SAML is not associated with the SAML enabled team. The admin will need to send an invite to the user to be accepted to the team. From the Lucidpress Admin Panel, select “Users.” Click “+User” in the top right corner and enter the user’s email.
Invalid Identity Attribute
This error indicates that an invalid identity attribute was received in the SAML response. Configure a claim attribute for the Lucidpress relying party trust where “Email-Addresses” corresponds to “Name ID” in ADFS.
Could Not Parse XML
This error indicates an incorrect syntax in the identity provider XML metadata. This can happen when downloading metadata from an Internet Explorer window. Internet Explorer will add dashes to XML tags for expanding and collapsing. You can fix this issue by either opening the XML data in a text editor or deleting all of the dashes in the copied XML text.
firstname.lastname@example.org Users Being Created
The Lucidpress SAML integration accepts 3 attributes: First Name, Last Name, and Email Address. When an invalid email address is passed from the SAML identity provider, a valid email will be generated to create the user: “passed value” + “SAML ID” + “@example.com.” This often occurs when a username or given name is passed to the Email Address attribute instead of the valid email. You can resolve this issue by configuring your claim rule to send a valid email address in the Email Address attribute.