Please note, as of Filespace format 2.2 the legacy term “Shares” has been changed to “Permissions.”
Target audience: Filespace administrators
This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.
The just-in-time provisioning single sign-on (SSO) workflow allows you to integrate an identity provider with a LucidLink Filespace. After the completion of the integration, users will be able to authenticate against that identity provider and log into the Filespace, gaining access to group or individual shares within the Filespace.
The Filespace key
As part of the SSO setup process of the Filespace, a special Filespace key file is generated. The Filespace key workflow serves as an additional layer of security providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.
The Filespace key needs to be stored and distributed by the customer's organization and ultimately provided to each user, who then imports the key once per device for the user to be able to log in and gain access to the Filespace. For more information on this new security workflow, check out thе Filespace key distribution article.
The following scope/permission is required:
Create a LucidLink application within Okta
1. Log into the Okta Admin panel at the top right corner of your Okta account.
2. Go to Applications -> click Create App Integration.
Choose OIDC - OpenID Connect as the Sign-in method and select Native Application as an Application type. Then click Next.
3. On the next screen, enter LucidLink for the App integration name, select Refresh Token in the Grant type section, and add the following Sign-in redirect URIs:
Select Skip group assignment for now from the Assignments section and click Save:
4. In the Application settings screen, go to the Okta API Scopes tab and grant the following scope/permission.
5. In the Application settings screen, go to the Sign On tab and Edit the OpenID Connect ID Token changing the Groups claim filter to Matches regex with ".*" filter for the list of groups, and click Save.
Assign Okta users and groups to the LucidLink application
6. Select the Assignments tab and choose Assign to People or Assign to Groups to assign by clicking the Assign button.
Configure a LucidLink Filespace to add Okta as an identity provider
7. Navigate to the Okta Applications -> Applications and click on the LucidLink app name. In the General tab, scroll down to the Client ID parameter and copy its value to your clipboard.
8. Obtain your OpenID URL from your Okta account Admin portal panel.
9. From within the LucidLink client, log in as the root user to a given LucidLink Filespace and open the Control panel. Click on the SSO menu.
10. Select the Configure Okta card.
11. Enter the Client ID from Step 8.
12. Enter the OpenID URL from Step 9 which should look similar to "https://account-012345.okta.com/", where "account-012345" will be your tenant/company name.
13. Click Continue and the Save the Filespace key page within the LucidLink client will appear.
14. Choose Save key. The default location can be found within the folder known as .lucid-keys.
15. Select Finish integration to complete the Okta setup.
16. Congratulations, you're nearly there! Simply share the Filespace key (the key is a file named name.fskey) with any user within your organization that needs access to the Filespace. Finally, configure your users and group shares.
Important: This Filespace key needs to be stored and shared within your organization by the LucidLink root or admin user, and applied on every client workstation or laptop when connecting that Filespace for the first time. This is a one-time-only process for each Filespace.