New LucidLink Single Sign-On (SSO) SAML 2.0: Integration with Okta

  • Updated

Target audience: Workspace administrators

This article is part of the New LucidLink Single Sign-On (SSO) SAML 2.0 implementation series of articles.

Requirements

  • Organization email domain configured and verified in the LucidLink Application or Webportal for your Workspace. Please use this article for the domain setup.
  • Admin Access to create the app in your Identity Provider's Admin Console.

LucidLink’s SAML 2.0 implementation supports Service Provider (SP)-initiated logins only. IdP-initiated login flows (where a user starts authentication directly from the Identity Provider dashboard and is then redirected into LucidLink) are not supported.

Setup instructions

1. Start the integration within the LucidLink​ Application or Webportal

From the LucidLink Application or Webportal, click on the 3-dot menu next to the Workspace name and click on SSO Integration. Then click on the Set Up SSO button.

SSO Setup start.png

Obtain the values from the following 2 fields from the SSO configuration page to put into your IdP Admin Console in the next step:

  • Service Provider Consumer URL
  • Service Provider entity ID
SSO Config Start_new.png

2. Create a LucidLink app in Okta

From your Okta Admin Console, navigate to Applications > Applications in the left navigation menu and click the Browse App Catalog button:

SAML 2_0 create app.png

Search the catalog for SCIM 2.0 Test App (Header Auth) and select the app to begin configuration:

Note: Even if you do not plan to use SCIM provisioning currently, it is recommended to use this application type to allow for future implementation.

Click Add Integration:

Fill out the Application label and click Next:

3. Configure the LucidLink app within the Okta Admin Console

Enter the following values in the Advanced Sign-on Settings section:

  • ACS URL - Enter the Service Provider Consumer URL value from your LucidLink SSO integration

  • Audience URI - Enter the Service Provider entity ID value from your LucidLink SSO integration

Under the Credentials Details section, select Email from the Application username format dropdown menu and click Done:

In the Sign on methods section, expand More details under the Metadata details area:

Obtain the values from the following two fields to use in the LucidLink SSO integration tab in the next step:

  • Sign on URL
  • Issuer

Click the Download button next to the Signing Certificate line and click Done:

4. Finish the integration within the LucidLink​ SSO Integration tab

Enter the two fields from the Okta Admin Console into the LucidLink SSO Integration tab:

  • Single Sign-On URL
  • Identity Provider entity ID - Enter the Issuer value from the previous step in Okta
browse to certificate file.png

Then upload the Identity provider certificate and click Save.

You should now see the Okta SSO setup in the LucidLink​ SSO Integration tab. You will need to assign your Okta users and groups to the new LucidLink app within the Okta Admin Portal before the users can authenticate within the LucidLink Application or Webportal.

You can choose to just assign them to the application and wait until they connect to the workspace to administer their access and add them to groups, or you can use our new SCIM Provisioning option to sync your Okta Users and Groups in the app.

You can read more about SCIM Provisioning with LucidLink in the article below:

Understanding SCIM Integration in LucidLink

Configuring SCIM Provisioning for Users and Groups

SCIM is a standard that allows you to automate user lifecycle management between different systems.
To configure it for your workspace, follow these steps:

From your new application overview page, click on the Provisioning tab, click on Configure API Integration:

Enter the two fields from the LucidLink SSO Integration SCIM configuration into the Okta Admin Console:

  • SCIM base URL - Base URL in Okta
  • API Key - API Token in Okta

Click the Test API Credentials button. If the test completes successfully, a green dialog box will appear.

Click Save.

Now configure the SCIM Provisioning settings for the To App category:

  1. Click the Edit button to begin.

  2. Check the Enable box next to Create Users, Update User Attributes and Deactivate Users.

  3. Click Save:

Users assigned to the app within Okta will now be automatically provisioned to your LucidLink workspace as members, identified by a [SCIM] icon next to their username:

Group Provisioning

Okta requires you to manually push the groups assigned to your app to your workspace.

  1. Click the Push Groups tab.

  2. Click the Push Groups dropdown menu and search for the groups assigned to the app in Okta that you want to push to the workspace:

Select a filter (Find groups by name or Find groups by rule), locate your group, click the name and click Save:

The status of the pushed group will now be visible in the Push Groups tab:

Once the status is Active in the Okta Admin Console, the group will appear in the LucidLink Groups tab of your workspace with (SCIM) appended to the name.

Next Step:

 

Was this article helpful?

0 out of 0 found this helpful