LucidLink Single Sign-On (SSO): Filespace Key Distribution Workflow

  • Updated

Target audience: Filespace administrators

This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.

 

Overview

As part of the SSO setup process of a LucidLink Filespace, a specialized file, known as a Filespace key, is generated. The Filespace key workflow serves as an additional layer of security, providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.

The Filespace key must be stored and distributed by the customer's organization. For the users to log in and gain access to the Filespace, they are required to import the Filespace key once per device. 

This article will discuss various methods for distributing the Filespace key within the customer's organization. 

 

Filespace Key Distribution

The Filespace key could be distributed in the following ways:

  • Hosted within your corporate intranet service;
  • Securely transmitted or sent to each user;
  • Hosted on a file share only accessible to your Filespace users;
  • Distributed across your devices via policy or via a managed device file rollout.

Most mobile device management (MDM) suites provide a facility to distribute files securely throughout managed devices and endpoints. Additionally, the Active Directory Group Policy provides a capability compatible with our implementation.

The generated Filespace key naming convention follows this structure:
<filespace>.<domain>.<trimmed_filespace_id>.fskey

On the first login attempt, each LucidLink client will search for the Filespace key in these locations and in the following order:

  1. The LucidLink client app will first look here:
    • $HOME/.lucid-keys/<filespace>.<domain>.<trimmed_filespace_id>.fskey
    • Example on macOS: ~/.lucid-keys/myfilespace.mydomain.3edaba6f1845.fskey
  2. If not found, the LucidLink client will prompt the end-user to manually import the Filespace key. This will require the end-user to download the Filespace key first (from wherever the organization's administrator directs the end-user) and then manually browse and import the Filespace key. 

Important: If a new SSO integration is created, a new Filespace key file will be generated. Make sure to distribute the new Filespace key across all devices.

Note: LucidLink employee will never ask for your Filespace key.

Mobile Device Management / Policy File Distribution

The best method for distributing the Filespace key is through mobile device management (MDM).

JAMF Composer Package File

The DMG format (.dmg) allows organizations to dynamically deploy files and folders to each user's device (for more information, please reference the JAMF Composer Overview). To leverage this approach, please do the following:

1. Build a .dmg package within JAMF Composer and use the Fill Existing Users (FEU) option. 

2. Drag your Filespace key to your package source from the Finder into the Package Contents pane in Composer.

3. Define your Filespace key to be located in the filepath /Users/$USERNAME/.lucid-keys

4. Deploy your package to your required devices. 

Alternatively, you could deploy your Filespace key via a script by following the JAMF Script Creation method.

 

Microsoft Endpoint Manager / Intune

1. Download Microsoft Win32 Content Prep Tool.

2. Create a folder containing your Prep Tool and a folder with your source files.

mceclip0.png

3. Create your copy script and copy your Filespace key into your source files folder.

mceclip1.png

echo F|xcopy /Y .\"filespace.domain.a1b234567890.fskey" "%userprofile%\.lucid-keys\filespace.domain.a1b234567890.fskey" 


4. Run InTuneWinAppUtil.exe and specify your source files folder and setup file along with your output folder.

IntuneWinAppUtil -c <source_folder> -s <source_setup_file> -o <output_folder>

mceclip2.png


5. Deploy your Intune Win32 application with Install behaviour "User" to ensure the environment variable of %userprofile% detects accordingly the payload delivery location per user within the user session. 




mceclip3.png

 

Active Directory Group Policy

Create a script to transfer the Filespace key to your users %userprofile%\.lucid-keys or leverage the Active Directory Group Policy to deploy your Filespace key from a fileserver share.


mceclip2.png

mceclip3.png

mceclip4.png

 

PDQ Deploy - Copy File Step

Similar to the Active Directory Group Policy method, you will require your Filespace key to be located on a server share. Within your Step Properties, select Copy File.

Specify your pull path to your Filespace key on your fileserver path as your source and specify the user profile directory %userprofile%\.lucid-keys\<filespacekey>

For further information, please check the File Copy Step Properties.


WinRAR - Self-extracting Archive
 

mceclip4.png mceclip5.png

mceclip6.png

mceclip7.png mceclip8.png mceclip9.png

 

FAQ

 

What happens if the filespace key is Lost?

The filespace key cannot be regenerated. A LucidLink root user or administrator needs to remove the existing SSO integration from within the LucidLink client and generate a new filespace key.

Please note that removing the existing SSO integration will delete all SSO users and SSO groups within LucidLink, as well as their shares. The data itself will not be impacted. 

 

What happens if the wrong filespace key is distributed across the organization?

If you have distributed an invalid filespace key across the organization, all you have to do is to redistribute the valid key, placing it in the correct folder for each device. An invalid filespace key won't allow a successful login to the desired filespace.

 

 

 

Was this article helpful?

0 out of 0 found this helpful