Target audience: Filespace administrators
This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.
Overview
As part of the SSO setup process of a LucidLink Filespace, a specialized file, known as a Filespace key, is generated. The Filespace key workflow serves as an additional layer of security, providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.
The Filespace key must be stored and distributed by the customer's organization. For the users to log in and gain access to the Filespace, they are required to import the Filespace key once per device.
Filespace Key Distribution
The generated Filespace key naming convention follows this structure:
<filespace>.<domain>.<trimmed_filespace_id>.fskey
On the first login attempt, each LucidLink client will search for the Filespace key in these locations and in the following order:
- The LucidLink client app will first look here:
- $HOME/.lucid-keys/<filespace>.<domain>.<trimmed_filespace_id>.fskey
- Example on macOS: ~/.lucid-keys/myfilespace.mydomain.3edaba6f1845.fskey
- If not found, the LucidLink client will prompt the end-user to manually import the Filespace key. This will require the end-user to download the Filespace key first (from wherever the organization's administrator directs the end-user) and then manually browse and import the Filespace key.
Important: If a new SSO integration is created, a new Filespace key file will be generated. Make sure to distribute the new Filespace key across all devices.
Note: LucidLink employee will never ask for your Filespace key.
/ Policy File Distribution
The best method for distributing the Filespace key is through
JAMF Composer Package File
The DMG format (.dmg) allows organizations to dynamically deploy files and folders to each user's device (for more information, please reference the JAMF Composer Overview). To leverage this approach, please do the following:
1. Build a .dmg package within JAMF Composer and use the Fill Existing Users (FEU) option.
2. Drag your Filespace key to your package source from the Finder into the Package Contents pane in Composer.
3. Define your Filespace key to be located in the filepath /Users/$USERNAME/.lucid-keys
4. Deploy your package to your required devices.
Alternatively, you could deploy your Filespace key via a script by following the JAMF Script Creation method.
Microsoft Endpoint Manager / Intune
1. Download Microsoft Win32 Content Prep Tool.
2. Create a folder containing your Prep Tool and a folder with your source files.
3. Create your copy script and copy your Filespace key into your source files folder.
echo F|xcopy /Y .\"filespace.domain.a1b234567890.fskey" "%userprofile%\.lucid-keys\filespace.domain.a1b234567890.fskey"
4. Run InTuneWinAppUtil.exe and specify your source files folder and setup file along with your output folder.
IntuneWinAppUtil -c <source_folder> -s <source_setup_file> -o <output_folder>
5. Deploy your Intune Win32 application with Install behaviour "User" to ensure the environment variable of %userprofile%
detects accordingly the payload delivery location per user within the user session.
Active Directory Group Policy
Create a script to transfer the Filespace key to your users %userprofile%\.lucid-keys or leverage the Active Directory Group Policy to deploy your Filespace key from a fileserver share.
PDQ Deploy - Copy File Step
Similar to the Active Directory Group Policy method, you will require your Filespace key to be located on a server share. Within your Step Properties, select Copy File.
Specify your pull path to your Filespace key on your fileserver path as your source and specify the user profile directory %userprofile%\.lucid-keys\<filespacekey>
For further information, please check the File Copy Step Properties.
WinRAR - Self-extracting Archive
FAQ
What happens if the filespace key is Lost?
The filespace key cannot be regenerated. A LucidLink root user or administrator needs to remove the existing SSO integration from within the LucidLink client and generate a new filespace key.
Please note that removing the existing SSO integration will delete all SSO users and SSO groups within LucidLink, as well as their shares. The data itself will not be impacted.
What happens if the wrong filespace key is distributed across the organization?
If you have distributed an invalid filespace key across the organization, all you have to do is to redistribute the valid key, placing it in the correct folder for each device. An invalid filespace key won't allow a successful login to the desired filespace.