Please note, as of Filespace format 2.2, the legacy term “Shares” has been changed to “Permissions.”
Target audience: Filespace administrators
This article is part of the LucidLink Single Sign-On (SSO): "Just-in-Time" Provisioning for Users and Groups series of articles.
Overview
The “just-in-time" provisioning single sign-on (SSO) workflow allows you to integrate an identity provider with a LucidLink Filespace. After the completion of the integration, users will be able to authenticate against that identity provider and log in to the Filespace, gaining access to group or individual shares within the Filespace.
Filespace key
As part of the SSO setup process of the Filespace, a special “Filespace key” file is generated. The Filespace key workflow serves as an additional layer of security, providing a Zero-Knowledge guarantee and ensuring that LucidLink has no access to the data stored in your Filespace.
The Filespace key needs to be stored and distributed by the customer's organisation and ultimately provided to each user, who then "imports" the key once per device in order for the user to be able to log in and gain access to the Filespace and its contents. For more information on this new security workflow, check out this Filespace key distribution article.
Entra ID Setup
Requirements:
- You will need to use an Entra ID user with sufficient administrative rights.
- The LucidLink service will require the GroupMember.Read.All Application permission for the Graph API in order to be able to support group-based access granting for Filespace shares.
- A client secret needs to be generated in Entra ID and provided for authenticating these API calls.
Setup instructions:
1. Log in as an administrator to your Azure portal.
2. Open the App registrations and select New registration.
3. Enter the following data for registering the new application:
Name: LucidLink
Redirect URI: Public client/native (mobile & desktop) http://127.0.0.1:8906/
Click Register to register the LucidLink application.
4. Navigate to the Authentication (Preview) menu item, select Edit for Mobile and desktop applications and add the following URIs.
http://127.0.0.1:8906/
http://127.0.0.1:8907/
http://127.0.0.1:8908/
http://127.0.0.1:8909/5. Click Configure to preserve the settings.
6. Navigate to the API permissions menu item, click on + Add a permission, select Microsoft Graph.
7. Select Application Permissions, under Select permissions, search for GroupMember.Read.All, select the tick for the checkbox GroupMember.Read.All,
8. Select Add permissions.
9. From within the permissions list, select the newly added GroupMember.Read.All permission and click Grant Admin Consent for Default Directory.
In case you do not see the message above, please check your Azure role. You will need to use an Entra ID user with sufficient administrative rights, i.e. Global Admin.
10. Configure groups claim. Navigate to the Token configuration menu item and select Add groups claim.
11. Select Groups assigned to the application and then choose Add.
12. Navigate to the Certifiates & secrets menu item section.
13. Click on New client secret to add a new secret.
14. Select the desired expiration. Microsoft's recommendation for the expiration is six months; however, you can choose an appropriate expiration period based on your organization's policy or established security practices.
Once the secret expires, group-based access granting will stop working properly within the LucidLink Filespace. Thus you will need to re-configure the secret before it expires to avoid experiencing any loss of LucidLink Filespace functionality.
You can update your secret value vialucid2 config --Sso.ClientSecretas per this KB article.
15. Click Add.
16. Now copy to your clipboard the Value. This secret value will be needed when integrating Azure AD within the LucidLink client.
Client secret values cannot be viewed, except immediately after creation. Be sure to save the secret when created before leaving the page.
17. From within the LucidLink client app, log in as the LucidLink root user.
18. Go to the LucidLink Control Panel and select the SSO tab on the left-hand side.
19. Click the Configure button inside the Azure AD card.
20. Paste the LucidLink client secret value copied in Step 16 in the Client Secret field.
21. Return to the Azure portal, navigate to App Registrations -> LucidLink -> Overview, and choose to copy the Application (client) ID and paste it into the Application (client) ID field in the LucidLink client.
22. While still on App Registrations -> LucidLink -> Overview, click Endpoints, and copy the OpenID Connect metadata document URL.
23. Paste it into the OpenID Connect metadata document field in the LucidLink client and click Continue.
24. Save the unique Filespace key for this particular LucidLink Filespace. The default location can be found within the folder known as .lucid-keys.
Please note: Do not share this Filespace key outside your organization. Also: LucidLink employees will never ask for your Filespace key.
25. Once the Filespace key is saved, you may proceed with Finish integration.
26. Congratulations, you're nearly done! You can now distribute your Filespace key and configure your users and group shares.
27. From within the Azure AD Admin portal, navigate to Enterprise applications -> LucidLink -> Properties and set Assignment required? to Yes. Click Save.
28. While still in Enterprise applications -> LucidLink -> Users and groups, click Add users, select Users and groups, and select one or more admin or non-admin users. Click Select. Click Assign.