Please note, as of Filespace format 2.2 the legacy term “Shares” has been changed to “Permissions.”
Target audience: Filespace administrators
This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.
Overview
The just-in-time provisioning single sign-on (SSO) workflow allows you to integrate an identity provider with a LucidLink Filespace. After the completion of the integration, users will be able to authenticate against that identity provider and log into the Filespace, gaining access to group or individual shares within the Filespace.
The Filespace key
As part of the SSO setup process of the Filespace, a special Filespace key file is generated. The Filespace key workflow serves as an additional layer of security providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.
The Filespace key needs to be stored and distributed by the customer's organization and ultimately provided to each user, who then imports the key once per device for the user to be able to log in and gain access to the Filespace. For more information on this new security workflow, check out thе Filespace key distribution article.
Okta Setup
The following scope/permission is required:
okta.users.read.self
Create a LucidLink application within Okta
1. Log into the Okta Admin panel at the top right corner of your Okta account.
2. Go to Applications -> click Create App Integration.
Choose OIDC - OpenID Connect as the Sign-in method and select Native Application as an Application type. Then click Next.
3. On the next screen, enter LucidLink for the App integration name, select Refresh Token in the Grant type section, and add the following Sign-in redirect URIs:
http://127.0.0.1:8909/
http://127.0.0.1:8908/
http://127.0.0.1:8907/
http://127.0.0.1:8906/
Select Skip group assignment for now from the Assignments section and click Save:
4. In the Application settings screen, go to the Okta API Scopes tab and grant the following scope/permission.
okta.users.read.self
5. In the Application settings screen, go to the Sign On tab and Edit the OpenID Connect ID Token.
If you are using just Okta-created groups within your LucidLink setup, then set the Group claim type to Filter and the Groups claim filter to Matches regex with ".*" filter for the list of groups, and click Save.
If you are using just a mixture of AD-synced groups and Okta-created groups within your LucidLink setup, then set the Group claim type to Expression and the Groups claim expression with the expression
Arrays.isEmpty(Groups.startsWith("active_directory","",100)) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))
and click Save.
Which will look like this when you click
.
Assign Okta users and groups to the LucidLink application
6. Select the Assignments tab and choose Assign to People or Assign to Groups to assign by clicking the Assign button.
Configure a LucidLink Filespace to add Okta as an identity provider
7. Navigate to the Okta Applications -> Applications and click on the LucidLink app name. In the General tab, scroll down to the Client ID parameter and copy its value to your clipboard.
Note: Sometimes Copy to clipboard in the Okta portal does not function as expected, if you use this then please triple check the copied value matches what the portal says.
8. Obtain your OpenID URL from your Okta account Admin portal panel.
Note: Sometimes Copy to clipboard in the Okta portal does not function as expected, if you use this then please triple check the copied value matches what the portal says.
9. From within the LucidLink client, log in as the root user to a given LucidLink Filespace and open the Control panel. Click on the SSO menu.
10. Select the Configure Okta card.
11. Enter the Client ID from Step 7.
12. Enter the OpenID URL from Step 8 which should look similar to "https://account-012345.okta.com/", where "account-012345" will be your tenant/company name.
13. Click Continue and the Save the Filespace key page within the LucidLink client will appear.
14. Choose Save key. The default location can be found within the folder known as .lucid-keys.
15. Select Finish integration to complete the Okta setup.
16. Congratulations, you're nearly there! Simply share the Filespace key (the key is a file named name.fskey) with any user within your organization that needs access to the Filespace. Finally, configure your users and group shares.
Important: This Filespace key needs to be stored and shared within your organization by the LucidLink root or admin user, and applied on every client workstation or laptop when connecting that Filespace for the first time. This is a one-time-only process for each Filespace.