Understanding SCIM Integration in LucidLink

  • Updated

This article describes the specific behaviors and changes to user and group management within LucidLink once SCIM (System for Cross-domain Identity Management) is enabled in your identity provider (IdP).

What is SCIM and Why Should I Use It?

SCIM is a standard that allows you to automate user lifecycle management between different systems. By connecting LucidLink to your identity provider (IdP) like Okta or Azure AD, you can:

  • Automate Onboarding: New users assigned the LucidLink app in your IdP are automatically provisioned in your workspace.
  • Centralized Administration: Manage user and group memberships from a single place—your IdP.
  • Improve Security: When a user is deactivated or removed from your IdP, their access to LucidLink is automatically revoked, ensuring ex-employees can no longer access company data.

Prerequisites

  • You must have an active Single Sign-On (SSO) integration configured in your LucidLink filespace before you can enable SCIM. SCIM provisioning is an extension of our SSO capability.
  • Administrators need an up-to-date LucidLink desktop client or can use the web client to configure SCIM.

How SCIM Changes User and Group Management

Once enabled, your IdP becomes the source of truth for user and group information. This introduces the following changes:

SCIM-Managed Users

When SCIM is enabled, a LucidLink user becomes "SCIM managed" if their email address matches a user you have assigned to the LucidLink application within your IdP.

User management lock

You are not allowed to delete a SCIM-managed user directly from the LucidLink Members page. This action must be performed from your IdP to maintain sync integrity.

Add to LucidLink native group

A SCIM-managed user can be added to a standard, non-SCIM group that has been created within LucidLink. This allows for flexible permission setups combining automated and manual group management, a capability not available in LucidLink Classic.

New "Deactivated" User State

Some IdPs support deactivated users, in addition to the ability to delete a user. This can be very handy in many situations, allowing you to temporarily prevent access while preserving all permissions and configurations of this user within the LucidLink environment. When you deactivate a user in your IdP, they are moved to a "Deactivated" state in LucidLink. As a result:

  • They cannot log in or access any data.
  • They do not count towards your billed users.
  • If you reactivate them later in your IdP, they will regain access with all their previous permissions intact.

A new "Deactivated" tab is visible in the filespace's Members screen to view these users, along with the "Active" and "Pending" users tabs.

SCIM-Managed Groups

Groups pushed from your IdP are automatically created in LucidLink and marked with a (SCIM) suffix to distinguish them from natively created groups. Those groups are "SCIM managed".

Group management lock

  • SCIM-managed groups cannot be deleted or renamed. You can manage them only through the IdP.
  • You cannot add or remove members from a SCIM-managed group within LucidLink. Membership is controlled exclusively by your IdP.

Group Permissions

You can assign permissions to a SCIM-managed group just like any other group.

Identity Provider Specifics

Okta

We highly recommend using Okta's "SCIM 2.0 App" template when configuring the integration, as it provides better stability.

Google Workspace

The current integration supports user provisioning only. Group provisioning from Google Workspace is not supported at this time. You can create groups manually in LucidLink and add your SCIM-provisioned users to them as a workaround.

Azure AD & Others

Support includes but is not limited to many major IdPs like Azure AD, JumpCloud, OneLogin, and Ping Identity. 

Important Considerations

External Users

If you provision a user who is not part of your verified SSO domain, they will be created in a "pending" state. They will still need to receive and accept an invitation to gain access to the filespace.

Removing the SSO Integration

If you delete your SSO configuration, the SCIM integration will also be removed. This has the following consequences:

  • All SCIM-managed groups are deleted.
  • All users who have already been deactivated are permanently deleted, except for the "Owner" of the workspace.
  • Active users will no longer be SCIM managed:
    • Any user without a previously set password will be converted to "pending" and will require a new invitation from an administrator to regain access.
    • Any user who already has a password will be able to log in and use the filespace as usual.

  • If you want to delete all users when SSO integration is removed, you should navigate to the Member page and delete them from there.

     

Was this article helpful?

0 out of 0 found this helpful