TABLE OF CONTENTS
- Azure AD integration
Azure AD integration
The Azure AD SSO support allows you to:
- Synchronize users and groups from Azure AD into Lucid Filespaces.
- Login to Lucid Filespaces using your Azure AD account.
Currently Lucid has the following requirements for user synchronization (no special requirements for regular user login are needed):
- You will need to use an Azure AD user with sufficient administrative rights when you synchronize users into Lucid.
- Lucid uses the Microsoft Graph API to perform the following operations on behalf the logged in admin user:
- Fetch users and groups
- Read application assignments
- Write a custom attribute into the profile of users that are assigned to the LucidLink application.
Upon completion of this guide you will:
- have a configuration for your LucidLink application inside your Azure AD account;
- be able to integrate Azure AD with your LucidLink Filespace, and synchronize the assigned Azure AD users and groups to Lucid;
- be able to log in to LucidLink Filespace using Azure AD identity provider.
Create LucidLink application within Azure AD
1. Log in as an administrator to your Azure AD portal.
2. Open the "App registrations" service.
3. Click "New registration"
4. Enter the following data for registering the new application (see image below)
Redirect URI: Public client/native (mobile & desktop) http://127.0.0.1:8909/
Click "Register" to register the LucidLink application.
5. Navigate to the "Authentication" menu and add the following URIs in the "Mobile and desktop applications" section (see image below)
Click "Save" to preserve the settings.
6. Navigate to the "Token configuration" menu and "Add optional claim" -> select "ID token" -> check the "upn" -> click "Add"
7. Check the "Turn on the Microsoft Graph profile permission" checkbox (required for claims to appear in token). Click "Add".
8. (optional) If you have external users in your AD: Go to the claim, click the three dots on the right and select Edit. Make sure “Externally authenticated” is set to "Yes". If this option is not selected, those users will not be able to log in. Click "Save". (see image below)
9. Navigate to "API permissions" -> Click on "Microsoft Graph" and then on "Delegated permissions" (image below):
10. Select the following permissions and click update (result in the image below)
11. While on the same screen click "Grant admin consent for..." and select "Yes"
12. Navigate to Enterprise applications -> LucidLink -> Properties and set “User assignment required?” to Yes. Click Save. (see the image below)
13. You will need to have at least one Azure AD admin user assigned to the LucidLink application. To add users and groups that will be using the LucidLink application:
- Go to Enterprise applications -> LucidLink -> Users and groups
- Click Add users
- Click on “Users and groups” and select one or more admin or non-admin users. Click Select. Click Assign.
Integrate Azure AD with your LucidLink Filespace
1. Log in as the "root" user to a LucidLink Filespace and open the "Control panel". Click the SSO menu.
2. Select "Configure" Azure AD.
3. Back in the Azure AD portal, go to App Registrations -> LucidLink -> Overview, copy "Application (client) ID" (image below) and enter it in the "Application (client) ID" field in LucidApp.
4. While still on App Registrations -> LucidLink -> Overview, click Endpoints, and copy the "OpenID Connect metadata document" URL (image below) and enter it in the "OpenID Connect metadata document" field in LucidApp.
5. In the Azure AD portal, go to Enterprise Applications -> LucidLink -> Overview, copy "Object ID" and enter it in the "Service Principal Object ID" field in LucidApp.
6. In LucidApp, click Connect.
7. In the opened browser window, log in with an Azure AD admin user. After a successful login, go back to LucidApp where you should see a list of users and groups from Azure AD ready to synchronize with the Lucid application.
8. Click on “Synchronize now” to add the assigned users and groups to LucidApp.
User login in Lucid through Azure AD
1. Open the Login screen and enter the Filespace that has Azure AD integration.
2. In the next step the Azure AD integration will be detected and a new button will allow for Azure AD login.
You will be taken to your Azure AD domain in a new browser window where you can log in. Upon successful login, Lucid will connect to the Filespace.
3. You can confirm this by checking the username at the bottom of the dashboard: