Please note, as of Filespace format 2.2 the legacy term “Shares” has been changed to “Permissions.”
TABLE OF CONTENTS
Okta Integration
Upon completion of this guide you will:
- Have a configuration for your LucidLink application inside your Okta account;
- Be able to assign Okta users and groups to your LucidLink application within your Okta account;
- Be able to integrate Okta with your LucidLink Filespace, and synchronize the assigned Okta users and groups to Lucid;
- Be able to log in to LucidLink Filespace using Okta identity provider.
Currently Lucid has the following requirements for user synchronization (no special requirements for regular user login are needed):
-
During the synchronization of users, you will need a user that is an Okta administrator.
-
As a minimum, that user needs to be a Group Admin for the users that will be assigned to Lucid and an App admin for the LucidLink Application. You can find more general information on Okta Administrator roles here: Okta Administrator roles and permissions
-
Lucid uses the Okta API to perform the following operations on behalf of the logged-in admin user:
-
Read users and groups;
-
Read application assignments;
-
Write a custom attribute in each user that is assigned to Lucid.
-
Create a LucidLink Application within Okta
1. Log in to the Okta admin panel.
2. Go to Applications -> click “Create App Integration”. Choose "OIDC - OpenID Connect" as the "Sign-in method" and select "Native Application" as an "Application type". Click "Next".
3. On the next screen that appears, enter “LucidLink” for the “App integration name”, select "Refresh Token" in the "Grant type" section, and add the following "Sign-in redirect URIs":
http://127.0.0.1:8909/
http://127.0.0.1:8908/
http://127.0.0.1:8907/
http://127.0.0.1:8906/
Remove the "Sign-out redirect URIs", then select "Skip group assignment for now" from the "Assignments" section and click "Save":
4. In the Application settings screen, go to the “Okta API Scopes” tab and Grant the following scopes:
okta.apps.manage
okta.apps.read
okta.groups.read
okta.users.manage
okta.users.read
okta.users.read.self
5. Next, navigate to "Directory" -> "Profile editor". Click on “User (default)”:
6. Click the "+ Add attribute" button.
Data type: leave as is, "string"
Display name: "LucidLink data"
Variable name: "lucidLinkData"
User permission: "Read Only"
Click “Save” to save the new attribute.
7. After saving the attribute and still in the Okta User Profile editor, scroll down and click the edit (pencil) icon next to the newly created "lucidLinkData" attribute.
In the edit dialog, make sure the following settings are as below:
Source priority: "Inherit from Okta"
Click "Save Attribute"
8. Next, navigate to "Directory" -> "Profile editor". Click on the “LucidLink User” (we'll repeat the same procedure of adding an attribute).
Click the "+ Add attribute" button:
Data type: leave as is, "string"
Display name: "LucidLink data"
Variable name: "lucidLinkData"
Scope: "User personal"
Click "Save".
9. While still in the "LucidLink User" app
Click the "Mappings" button:
In the "Okta User to LucidLink" tab, locate the "lucidLinkData" attribute in the LucidLink User Profile (on the right side of the mappings):
In the drop-down menu on that attribute's left side, select "lucidLinkData":
Click on the arrow button in the middle and select "Apply mapping on user create and update":
Click "Save mappings". If asked to apply these mappings to all users with this profile, click "Apply updates now":
Assign Okta Users and Groups to the LucidLink Application
Go to Application and select the newly created LucidLink application by clicking on its name.
Go to the "Assignments" tab and select users or groups to assign by clicking the “Assign” button.
Note: make sure to assign an Okta admin user to the LucidLink application. This user will later be used to synchronize users from Okta to the LucidLink Filespace. The user is also used to manage any other integration with the LucidLink Filespace.
Configure a LucidLink Filespace to add Okta as an Identity Provider
1. While in Okta, go to the Application page for the LucidLink app in Okta: Applications -> Applications and click on the app name. In the General tab, scroll down to the “Client ID” parameter and copy its value to your clipboard.
2. Log in as the "root" user to a LucidLink Filespace and open the "Control panel". Click the SSO menu.
3. Select "Configure" Okta.
4. Enter the "Client ID" from step 1.
5. Enter "OpenID URL - it should look similar to “https://dev-991030.okta.com/”, where “dev-991030” will be your tenant/company name.
6. Click connect.
7. A web browser with a login form should open at this point where you have to log in as an Okta admin (set up in the previous section of this guide).
8. If you logged in successfully as an assigned admin user, Lucid will start fetching user and group information from Okta and compare it with the local Lucid users and groups. After this is done, you will get a preview of changes that would be applied to the Lucid Filespace users and groups.
9. Click “Synchronize now” to proceed with user/group import inside Lucid.
10. The integration is now complete - Okta users and groups are now visible in the 'Users" and the "Groups" menus within the Lucid control panel and the Lucid administrator can assign shares as usual.
User Login in Lucid through Okta
1. Open the Login screen and enter the Filespace that has Okta integration.
2. In the next step the Okta integration will be detected and a new button will allow for Okta login.
You will be taken to your Okta domain in a new browser window where you can log in. Upon successful login, Lucid will connect to the Filespace.
3. You can confirm this by checking the username at the bottom of the dashboard:
What is my Okta Client ID?
1. Make sure you've completed the setup guide above.
2. Log in to Okta.
3. Navigate to Applications -> Applications and click on the LucidLink app name.
4. In the General tab, scroll down to see the "Client ID":
What is my Okta OpenID URL?
1. Make sure you've completed the setup guide above.
2. Log in to Okta.
3. Your "OpenID URL" should look similar to “https://dev-991030.okta.com/”, where “dev-991030” will be your tenant/company name.