LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups

  • Updated


Please note, as of Filespace format 2.2 the legacy term “Shares” has been changed to “Permissions.”



Target audience: Filespace administrators



LucidLink's single sign-on (SSO) mechanism authenticates users using their organization's existing identity provider (currently Okta or Azure AD). We have redesigned our SSO implementation to address some deficiencies in our legacy SSO implementation, making it easier to set up for small and large organizations alike. This new version of SSO supports all existing LucidLink 2.0 Filespaces. 


LucidLink Single Sign-On (SSO) Knowledge Base Articles in this Series

This LucidLink Knowledge Base article is the first in a series of seven articles fully describing how to integrate and deploy the new SSO implementation. The series includes the following articles:

  1. LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups (this article)
  2. LucidLink Single Sign-On (SSO): Integrating with Okta
  3. LucidLink Single Sign-On (SSO): Integrating with Azure AD
  4. LucidLink Single Sign-On (SSO): Azure AD Filespace Certificate & Secret Renewal
  5. LucidLink Single Sign-On (SSO): Filespace key Distribution Workflow
  6. LucidLink Single Sign-On (SSO): First-time SSO Login Fundamentals
  7. LucidLink Single Sign-On (SSO): Assigning Shares to Single Sign-On Users and Groups
  8. LucidLink Single Sign-On (SSO): Legacy to Just-in-Time Migration


New SSO vs. Legacy SSO Implementation

Key improvements over the legacy implementation include the following:

  • No need for a Filespace admin to confirm new users manually. In the legacy implementation, a Filespace admin needed to confirm new users manually before they could start using the Filespace. 
  • No need for extended permissions within the identity provider application setup.
  • No need for changes to the existing identity provider setup (e.g., for adding extra user attributes).
  • The initial setup time is significantly reduced.

Additional capabilities and notes:

  •  For "pay as you go" customers, just-in-time provisioning for users and groups means customers will no longer need to pay for users that have never logged in to LucidLink through SSO. Users and groups will be created automatically and just-in-time when the user first logs into a LucidLink Filespace.
  • Administrators can now assign shares even for users that have not yet logged into LucidLink.
  • The new SSO implementation has been redesigned from scratch, allowing LucidLink to easily expand its support for other identity providers in future releases.
  • If running a version 2.0 Filespace, customers will not need to copy their user data to a new Filespace to enable the new SSO implementation. 

As part of the new single sign-on (SSO) setup process, a special Filespace key capability has been introduced to the LucidLink solution. It serves as an additional layer of security, providing a Zero-Knowledge guarantee by ensuring that LucidLink has no access to the data stored in your Filespace.

The Filespace key file needs to be distributed to each device that will log in through this new SSO implementation. This is a one-time only requirement per Filespace and for each unique workstation or laptop that needs to connect to the Filespace. 



All LucidLink users and administrators will require the LucidLink version 2.1 client or later installed to use the new SSO implementation.



  • All existing LucidLink 2.0 Filespaces
  • All major operating systems (macOS, Windows, Linux)

Important links for administrators

Important links for users




Was this article helpful?

0 out of 0 found this helpful