Target audience: Workspace administrators
This article is part of the New LucidLink Single Sign-On (SSO) SAML 2.0 implementation series of articles.
Overview
With the new SSO implementation, Workspace administrators can now define the authentication method for their entire Workspace. These settings apply to all Filespaces configured within that Workspace, ensuring a consistent security posture.
Requirements
Before configuring authentication settings, ensure the following criteria are met:
Verified Domain: At least one organizational email domain must be configured and verified in the LucidLink admin portal.
Active SSO: An SSO implementation must be successfully established with your Identity Provider (IdP).
Authentication Settings
Once at least one domain is verified, you can manage your SSO preferences. In the admin portal under Domain Management, you will find three authentication options for each verified domain:
Disabled: Members can only authenticate using their email and password. SSO login is unavailable.
Optional: Members can choose between SSO or their standard email and password. This is ideal for transitional periods.
Required: All members with your organization's domain are forced to authenticate via SSO. Password login is disabled for these users.
⚠️ Note: Before setting authentication to Required, ensure your SSO configuration is fully tested. If the configuration is incorrect, users with that domain may be locked out of their Filespaces.
To prevent accidental lockouts, choosing Required triggers a confirmation prompt. You must verify that your SSO setup is functional by typing TESTED into the confirmation field. Once entered, click Yes, require SSO to enforce the setting.
External Domain Authentication
For users with email domains that are not verified in your Workspace, you can define a separate authentication policy. This ensures that guests or external contractors follow your organization's security standards.
Standard (Password): External members authenticate using their LucidLink email and password.
Enforced SSO: External members must be registered in your Identity Provider (IdP) and will be required to log in via SSO.
Before enforcing SSO for external domains, ensure all such users are correctly provisioned in your IdP. Test their access first to prevent immediate lockout once the enforcement is enabled.
If you choose to Enforce SSO for external users, a confirmation dialog will appear. This warning notes that all external users will be immediately logged out of the Workspace and must re-authenticate via SSO to regain access.
To proceed, check the box labeled I have read and understood the message and click Yes, enforce SSO.
Your configuration is now complete. You are ready to provide your users with the SSO Key and instruct them on how to connect to your filespace(s) using their SSO credentials.