Target audience: Workspace administrators
This article is part of the New LucidLink Single Sign-On (SSO) SAML 2.0 implementation series of articles.
Requirements
- Organization email domain configured and verified in the LucidLink Application or Webportal for your Workspace. Please use this article for the domain setup.
- Admin Access to create the app in your Identity Provider's Admin Console.
LucidLink’s SAML 2.0 implementation supports Service Provider (SP)-initiated logins only. IdP-initiated login flows (where a user starts authentication directly from the Identity Provider dashboard and is then redirected into LucidLink) are not supported.
Setup instructions
1. Start the integration within the LucidLink Application or Webportal
From the LucidLink Application or Webportal, click on the 3-dot menu next to the Workspace name and click on SSO Integration. Then click on the Set Up SSO button.
Obtain the values from the following 2 fields from the SSO configuration page to put into your IdP Admin Console in the next step:
- Service Provider Consumer URL
- Service Provider entity ID
2. Create a LucidLink app within the Microsoft Entra admin center:
In the Microsoft Entra admin center, expand the Applications menu and select Enterprise applications. From the top of the applications list, click New application:
On the following page, click Create your own application. Enter a Name for your application and click Create at the bottom of the panel:
3. Configure the LucidLink app within the Microsoft Entra admin center
From the left navigation panel, go to Manage > Single sign-on and select SAML:
In the Basic SAML Configuration section, click Edit. Enter the following values and click Save:
- Identifier (Entity ID) - Service Provider entity ID value from LucidLink SSO Integration tab
- Reply URL (Assertion Consumer Service URL) - Service Provider Consumer URL value from LucidLink SSO Integration tab
In the SAML Certificates section, find Certificate (Base64) and click Download:
Copy the values from the following two fields; you will need to paste these into the LucidLink SSO Integration tab in the next step:
- Login URL
- Microsoft Entra Identifier
4. Finish the integration within the LucidLink SSO Integration tab
Enter the 2 fields from the Microsoft Entra admin center into the LucidLink SSO Integration tab:
- Single Sign-On URL - Login URL from the Microsoft Entra admin center
- Identity Provider entity ID - Microsoft Entra Identifier from the Microsoft Entra admin center
Then, upload the Identity provider certificate and click Save.
You should now see the Microsoft Entra ID SSO setup in the LucidLink SSO Integration tab. You will need to add Entra ID users/groups to the new app before they can authenticate using SSO within the LucidLink Application or Webportal.
You can choose to just assign them to the application and wait until they connect to the workspace to administer their access and add them to groups, or you can use our new SCIM Provisioning option to sync your Microsoft Entra ID Users and Groups over the app automatically.
You can read more about SCIM Provisioning in the article below:
Understanding SCIM Integration in LucidLink
Configuring SCIM Provisioning for Users and Groups
SCIM is a standard that allows you to automate user lifecycle management between different systems.
To configure it for your workspace, follow these steps:
1. In the left navigation panel, click Manage and then select Provisioning:
2. On the following page, click New Configuration:
3. Enter the following details and click Test Configuration:
- Tenant URL - SCIM base URL value from the SCIM configuration in the LucidLink SSO Integration tab
- Secret token - API key from the SCIM configuration in the LucidLink SSO Integration tab
4. Microsoft Entra ID will verify the provisioning details. Once the test completes, a notification will appear in the top-right corner; you can then click Create:
Once you click Create, the SCIM integration is active. You will be redirected to the Provisioning dashboard, where you can manage the connection settings and monitor the health of the synchronization process.
Provisioning Cycles & Monitoring
Microsoft Entra ID runs provisioning cycles at a fixed interval (typically every 40 minutes) to sync users and groups. You can monitor the sync status, view the time of the last cycle, and check for errors on the Provisioning Overview page.
To skip the sync wait time, navigate to Provisioning > Provision on demand. Search for your target user or group, select them, and click Provision.
Once provisioning is complete, synced users and groups will appear in your LucidLink Workspace with unique identifiers: a SCIM icon will appear next to individual member names, and a [SCIM] prefix will be added to group names.