LucidLink Single Sign-On (SSO): Integrating with Okta

  • Updated

 

Please note, as of Filespace format 2.2 the legacy term “Shares” has been changed to “Permissions.”

 

Target audience: Filespace administrators

This article is part of the  LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.

 

Overview

The just-in-time provisioning single sign-on (SSO) workflow allows you to integrate an identity provider with a LucidLink Filespace. After the completion of the integration, users will be able to authenticate against that identity provider and log into the Filespace, gaining access to group or individual shares within the Filespace.

The Filespace key

As part of the SSO setup process of the Filespace, a special Filespace key file is generated. The Filespace key workflow serves as an additional layer of security providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.

The Filespace key needs to be stored and distributed by the customer's organization and ultimately provided to each user, who then imports the key once per device for the user to be able to log in and gain access to the Filespace. For more information on this new security workflow, check out thе Filespace key distribution article.

Okta Setup

The following scope/permission is required:

okta.users.read.self

 

Create a LucidLink application within Okta

1. Log into the Okta Admin panel at the top right corner of your Okta account.

1.png

2. Go to Applications -> click Create App Integration.

Choose OIDC - OpenID Connect as the Sign-in method and select Native Application as an Application type. Then click Next.

2.png

3. On the next screen, enter LucidLink for the App integration name, select Refresh Token in the Grant type section, and add the following Sign-in redirect URIs:

3.png

http://127.0.0.1:8909/
http://127.0.0.1:8908/
http://127.0.0.1:8907/
http://127.0.0.1:8906/

Select Skip group assignment for now from the Assignments section and click Save:

4.png

4. In the Application settings screen, go to the Okta API Scopes tab and grant the following scope/permission.

5_1.png

okta.users.read.self

5_2.png

5. In the Application settings screen, go to the Sign On tab and Edit the OpenID Connect ID Token.

If you are using just Okta-created groups within your LucidLink setup, then set the Group claim type to Filter and the Groups claim filter to Matches regex with ".*" filter for the list of groups, and click Save.

6.png

If you are using just a mixture of AD-synced groups and Okta-created groups within your LucidLink setup, then set the Group claim type to Expression and the Groups claim expression with the expression
Arrays.isEmpty(Groups.startsWith("active_directory","",100)) ? Groups.startsWith("OKTA","",100) : Arrays.flatten(Groups.startsWith("OKTA","",100),Groups.startsWith("active_directory","",100))
and click Save.


okta-adsync2 copy.jpg
Which will look like this when you click

okta-adsync copy.jpg

.

Assign Okta users and groups to the LucidLink application

6. Select the Assignments tab and choose Assign to People or Assign to Groups to assign by clicking the Assign button.

8.png

 

Configure a LucidLink Filespace to add Okta as an identity provider

7. Navigate to the Okta Applications -> Applications and click on the LucidLink app name. In the General tab, scroll down to the Client ID parameter and copy its value to your clipboard.

Note: Sometimes Copy to clipboard in the Okta portal does not function as expected, if you use this then please triple check the copied value matches what the portal says.

 

9.png

8. Obtain your OpenID URL from your Okta account Admin portal panel.

Note: Sometimes Copy to clipboard in the Okta portal does not function as expected, if you use this then please triple check the copied value matches what the portal says.

10.png

9. From within the LucidLink client, log in as the root user to a given LucidLink Filespace and open the Control panel. Click on the SSO menu.

10. Select the Configure Okta card.

 

SSOopt.png

 

11. Enter the Client ID from Step 7.

12. Enter the OpenID URL from Step 8 which should look similar to "https://account-012345.okta.com/", where "account-012345" will be your tenant/company name.

 

12.png

 

13. Click Continue and the Save the Filespace key page within the LucidLink client will appear.

13.png14. Choose Save keyThe default location can be found within the folder known as .lucid-keys

 15. Select Finish integration to complete the Okta setup.


14.png

 

16. Congratulations, you're nearly there! Simply share the Filespace key (the key is a file named name.fskey) with any user within your organization that needs access to the Filespace. Finally, configure your users and group shares.

Important: This Filespace key needs to be stored and shared within your organization by the LucidLink root or admin user, and applied on every client workstation or laptop when connecting that Filespace for the first time. This is a one-time-only process for each Filespace.

15.png

Next steps:

Was this article helpful?

0 out of 0 found this helpful