TABLE OF CONTENTS
Okta integration
Note: We recommend you stick to the standard integration instructions if they work for you, which can be found here: Set up Okta Single Sign-on Integration. This article describes a slightly different integration procedure, the differences from the standard procedure are the following:
- A custom attribute is added to the application user profile instead of the Okta user profile.
- Okta API Access Management subscription is required.
- The required Okta API scopes/permissions are slightly different, most notably the "users.manage" permissions are not required (while "apps.manage" is required) for the user synchronization flow.
- With this approach, if you use multiple LucidLink filespaces, you should create a separate Okta Application for each one.
Currently Lucid has the following requirements for user synchronization (no special requirements for regular user login are needed):
-
During synchronization of users, you will need a user that is an Okta administrator.
-
As a minimum, that user needs to be a Group Admin for the users that will be assigned to Lucid and an App admin for the LucidLink Application. You can find more general information on Okta Administrator roles here: Okta Administrator roles and permissions
Upon completion of this guide, you will:
- Have a configuration for your LucidLink application inside your Okta account;
- Be able to assign Okta users and groups to your LucidLink application within your Okta account;
- Be able to integrate Okta with your LucidLink Filespace, and synchronize the assigned Okta users and groups to Lucid;
- Be able to log in to LucidLink Filespace using the Okta identity provider.
Create a LucidLink Application within Okta
1. Log in to the Okta admin panel.
2. Go to Applications -> click “Add Application” -> click “Create New App”. In the "Platform" drop-down, select "Native app" and click “Create”.
3. On the next screen that appears, enter “LucidLink” for the “Application name”, add the following "Login redirect URIs" and click "Save". If you see an option to "Limit access to selected groups", we recommend selecting that and assigning a group to the LucidLink application. Otherwise, all users will be assigned and synchronized to the Lucid application. After this initial selection, you will still be able to modify the assigned users and groups from the Assignments tab in Application settings as described below:
http://127.0.0.1:8909/
http://127.0.0.1:8908/
http://127.0.0.1:8907/
http://127.0.0.1:8906/
4. In the Application settings screen, go to the “Okta API Scopes” tab and Grant the following scopes:
okta.users.read, okta.groups.read, okta.apps.read, okta.apps.manage
5. In the Application settings screen, go to the “General” tab, in the “General Settings” section, click “Edit”. Check the “Refresh Token” checkbox in addition to the already selected “Authorization Code”. Click “Save”.
8. Next, navigate to "Directory" -> "Profile editor". Click the "Profile" (pencil icon) on the “LucidLink” application user.
Click the "+ Add attribute" button:
Data type: leave as is, "string"
Display name: "LucidLink data"
Variable name: "lucidLinkData"
Scope: "User personal"
Click "Save".
9. Now go to “Security” -> API and choose the authorization server you wish to use for the integration. We will use the default custom authorization server for this example so select it from the list.
10. Go to the “Claims” tab and check if there is a claim named “lucidLinkData” in the list. If there is, continue with the next step, otherwise click “Add Claim”. Enter “lucidLinkData” for the “Name”, and select “ID Token” and “Always” for “Include in token type”. In the value field, enter “appuser.lucidLinkData”. For scopes, select “lucidlink” and click "Create" to save the new claim.
Assign Okta Users and Groups to the LucidLink Application
Go to Application and select the newly created LucidLink application by clicking on its name.
Go to the "Assignments" tab and select users or groups to assign by clicking the “Assign” button.
Note: Make sure to assign an Okta admin user to the LucidLink application. This user will later be used to synchronize users from Okta to the LucidLink Filespace. The user is also used to manage any other integration with the LucidLink Filespace.
Configure a LucidLink Filespace to add Okta as an Identity Provider
1. While in Okta, go to the Application page for the LucidLink app in Okta: Applications -> Applications and click on the app name. In the General tab, scroll down to the “Client ID” parameter and copy its value to your clipboard.
2. Log in as the "root" user to a LucidLink Filespace.
3. Open a command prompt/terminal and type the following command:
lucid config --set --global --Sso.OktaUseAppProfile 1
4. Open the "Control panel". Click the SSO menu.
5. Select "Configure" Okta.
6. Enter the "Client ID" from step 1.
7. Enter "OpenID URL - it should normally look similar to “https://dev-991030.okta.com/”, where “dev-991030” will be your tenant/company name. If you want to use a custom authorization server for user login, however, you need to enter the "Issuer URL" of that server here, for example, "https://dev-991030.okta.com/oauth2/aus3bnh107vBzOOMt4x7"
8. Click Connect.
9. A web browser with a login form should open at this point where you have to log in as an Okta admin (set up in the previous section of this guide). If you see a blank page in the browser and focus does not go back to the Lucid application automatically, switch back to the Lucid control panel window.
10. If you logged in successfully as an assigned admin user, Lucid will start fetching user and group information from Okta and compare it with the local Lucid users and groups. After this is done, you will get a preview of changes that would be applied to the Lucid Filespace users and groups.
11. Click “Synchronize now” to proceed with user/group import inside Lucid.
12. The integration is now complete - Okta users and groups are now visible in the 'Users" and the "Groups" menus within the Lucid control panel and the Lucid administrator can assign shares as usual.
User login in Lucid through Okta
1. Open the Login screen and enter the Filespace that has Okta integration.
2. In the next step the Okta integration will be detected and a new button will allow for Okta login.
You will be taken to your Okta domain in a new browser window where you can log in. Upon successful login, Lucid will connect to the Filespace.
3. You can confirm this by checking the username at the top of the dashboard:
What is my Okta Client ID?
1. Make sure you've completed the setup guide above.
2. Log in to Okta.
3. Navigate to Applications -> Applications and click on the LucidLink app name.
4. In the General tab, scroll down to see the "Client ID":
What is my Okta OpenID URL?
1. Make sure you've completed the setup guide above.
2. Log in to Okta.
3. Your "OpenID URL" should look similar to “https://dev-991030.okta.com/”, where “dev-991030” will be your tenant/company name.