Target audience: Filespace administrators
This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.
The “just-in-time" provisioning single sign-on (SSO) workflow allows you to integrate an identity provider with a LucidLink Filespace. After the completion of the integration, users will be able to authenticate against that identity provider and log in to the Filespace, gaining access to group or individual shares within the Filespace.
As part of the SSO setup process of the Filespace, a special “Filespace key” file is generated. The Filespace key workflow serves as an additional layer of security providing a Zero-Knowledge guarantee, and ensuring that LucidLink has no access to the data stored in your Filespace.
The Filespace key needs to be stored and distributed by the customer's organization and ultimately provided to each user, who then "imports" the key once per device in order for the user to be able to log in and gain access to the Filespace and its contents. For more information on this new security workflow, check out this Filespace key distribution article.
Azure AD Setup
- You will need to use an Azure AD user with sufficient administrative rights.
- The LucidLink service will require the GroupMember.Read.All Application permission for the Graph API in order to be able to support group-based access granting for Filespace shares.
- A client secret needs to be generated in Azure AD and provided for authenticating these API calls.
1. Log in as an administrator to your Azure AD portal.
2. Open the App registrations and select New registration.
Alternatively, navigate to the Add menu item and choose App registration.
3. Enter the following data for registering the new application:
- Name: LucidLink
- Redirect URI: Public client/native (mobile & desktop) http://127.0.0.1:8906/
- Click Register to register the LucidLink application.
4. Navigate to the Authentication menu item and add the following URIs in the Mobile and desktop applications section.
5. Add the following URIs:
7. Click Save to preserve the settings.
8. Navigate to the API permissions menu item -> Click on Microsoft Graph and then on Application Permissions.
9. Select the following permissions and search GroupMember.Read.All
10. From within the permissions list, select the newly added GroupMember.Read.All permission and click Grant Admin Consent for <your app’s name> or Add permissions.
In case you do not see the message below, please check your Azure role. You will need to use an Azure AD user with sufficient administrative rights, i.e. Global Admin.
11. Configure groups claim. Navigate to the Token configuration menu item and select Add groups claim.
Select Groups assigned to the application and then choose Save.
12. Navigate to the Certificates & secrets menu item section.
13. Click on New client secret to add a new secret.
14. Select the desired expiration. Microsoft's recommendation for the expiration is six months, however, you can choose an appropriate expiration period based on your organization's policy or established security practices.
Once the secret expires, group-based access granting will stop working properly within the LucidLink Filespace. Thus you will need to re-configure the secret before it expires to avoid experiencing any loss of LucidLink Filespace functionality.
You can update your secret value via `lucid config --Sso.ClientSecret` as per this KB article.
15. Click Add.
16. Now copy to your clipboard the client secret’s Value. This secret value will be needed when integrating Azure AD within the LucidLink client.
Client secret values cannot be viewed, except immediately after creation. Be sure to save the secret when created before leaving the page.
17. From within the LucidLink client app, log in as the LucidLink root user. Make sure you are using version 2.1 or above, of the LucidLink client.
18. Go to the LucidLink Control Panel and select the SSO tab on the left-hand side.
19. Click the Configure button inside the Azure AD card.
20. Paste the LucidLink client secret value copied in Step 16 in the Client Secret field.
21. Return to the Azure AD admin portal, navigate to App Registrations -> LucidLink -> Overview, and choose to copy the Application (client) ID and paste it into the Application (client) ID field in the LucidLink client.
22. While still on App Registrations -> LucidLink -> Overview, click Endpoints, and copy the OpenID Connect metadata document URL.
23. Paste it into the OpenID Connect metadata document field in the LucidLink client and click Continue.
24. Save the unique Filespace key for this particular LucidLink Filespace. The default location can be found within the folder known as .lucid-keys.
Please note: Do not share this Filespace key outside your organization. Also: LucidLink employees will never ask for your Filespace key.
25. Once the Filespace key is saved, you may proceed with Add integration.
26. Congratulations, you're nearly done! You can now distribute your Filespace key and configure your users and group shares.
27. From within the Azure AD Admin portal, navigate to Enterprise applications -> LucidLink -> Properties and set User assignment required? to Yes. Click Save.
28. While still in Enterprise applications -> LucidLink -> Users and groups, click Add users select Users and groups, and select one or more admin or non-admin users. Click Select. Click Assign.