Okta SCIM and SAML Application

 Last updated: April 9, 2018     


Overview

Objective

Things to note before installing the application:

  • Your SSO configuration is not the same as user provisioning. The SSO configuration is based on the preferences you set up on the Sign-On tab.

  • Additionally, SSO is based on the data center you choose when configuring SAML2.0. User provisioning is based on the token after you approve the SSO process.

  • When removing a user's security group assignment, the Okta application does not delete the user from SpringCM; it will only deactivate the user in SpringCM. If you want to delete the security group from Okta, first unlink the pushed group and then choose "Delete the group in the target app".

  • Usernames have to be changed at the profile level, not within the application. Changing the username at the application level results in an error.

Concepts

Use Cases

SpringCM's integration with Okta supports the following use cases:

  • Provisioning new users from Okta to SpringCM. This includes the following information:
    • First Name
    • Last Name
    • Username (defaults to the Okta username)
    • Email (for the first time)
    • Street Address
    • City
    • State 
    • Country
    • Zip
    • Title
  • Updating existing users and mapping to a security group. 
  • Provisioning Security Groups:
    • Assigning/reassigning users to a security group
    • Removing user to security group assignment
    • All users are provisioned as full subscribers. Super Admins, Guests roles cannot be assigned. 
  • Deprovisoning users from Okta to SpringCM. Users cannot be deleted from the Okta instance. You can only deactivate them.
    From Okta: "Deactivates a user's SpringCM account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta."
SpringCM's integration with Okta does not support the following use cases:
  • Creating a user with a role other than Full Sub. Role assignment of Super Admin, User Admins, and Guests are not options. 
  • Syncing from SpringCM back to Okta. 
  • Importing from SpringCM to Okta. 
  • Managed By.

Known Issues

  • When you configure your Okta application, you cannot change the user email address once the user has been provisioned in SpringCM.

  • "Region" and "Country Code" cannot be removed from the SpringCM user profile associated with the SCIM login.

Admin How To

Add the SpringCM Application

  1. Log in to your Okta account. The Okta dashboard opens.
  2. Click the Admin button to work in your Okta instance as an Administrator. If you do not have the Admin button available, please contact your System Administrator.
  3. Hover over the Applications dropdown menu.
  4. Select the Applications option from the list.
  5. Click the Add Applications button. The Add Application screen displays.
  6. In the "Search for Application" bar, enter "SpringCM."
  7. Select the SpringCM application from the results list. The Add Application wizard opens.

Set Up the SpringCM Application - SAML2.0 Configuration

It is recommended you do this procedure with two browser tabs open: one with Okta and one with SpringCM.

  1. On the Sign-On Options page, select the SAML 2.0 radio button.
  2. Click the View Setup Instructions button to open the setup guide. Follow the setup instructions to configure the SAML 2.0 signon. 
    1. Download the security certificate.
    2. Upload the certificate to your SpringCM account. It is recommended that you upload this to an Admin folder to avoid other users interacting with it.
    3. Copy the Issuer URL provided by Okta (e.g., wwww.okta.com/afdd863kkc14fLg7Yth9).
    4. Paste the Issuer URL into the Issuer field in SpringCM > Preferences > SAML SSO.
    5. Copy your Service Provider (SP) Initiated Endpoint URL provided by Okta.
    6. Paste the SP Initiated Endpoint URL in the Service Provider (SP) Initiated Endpoint field in SpringCM > Preferences > SAML SSO.
    7. On SpringCM > Preferences > SAML SSO, change the SAML Enabled radio option from "Disabled" to "Enabled."
  3. Click the Instance Type dropdown menu under Advanced Sign-On Settings on the Sign-On tab.
  4. Select the instance type (i.e., "Production" or "Sandbox") from the list.
  5. Copy your SpringCM ACS URL (can be found in SpringCM > Preferences > SAML SSO).
  6. Paste the ACS URL into the SpringCM ACS Url field on the Sign-On > Settings tab in Okta.
  7. Under the Credentials Details section, click the Application username format dropdown menu.
  8. Choose the Okta Username option.
    Note: Password reveal settings are disabled when you use a SAML SSO configuration.
  9. Click the Done button.

Set Up the SpringCM Application - SCIM Configuration

  1. On the General tab, choose a data center (e.g., na11, eu11, etc.) from the Data Center dropdown menu.
  2. Leave the Application Visibility checkbox unchecked.
  3. Check the Browser plugin auto-submit checkbox ("Automatically log in when user lands on login page.")

    okta-app-settings

  4. Click the Next button to continue.
  5. On the Sign On tab, make sure the default value for Sign On Methods for SpringCM's instance is "SAML2.0".
  6. Under Credentials Details, make sure the Application username format has defaulted to "Okta username".
  7. Click the Next button to continue.

    okta-cred-details

Provisioning Options

  1. Click the Provisioning tab. This tab opens to To App provisioning settings by default.
  2. Click the Edit button in the Provisioning to App section.
  3. Check the Enable checkboxes for the following provisioning use cases:
    1. Create Users
    2. Update User Attributes
    3. Deactive Users
  4. Click the Save button to save your changes.

    okta-provisioning

Groups

Groups must be created in Okta first and then pushed to SpringCM. If you have groups created in SpringCM and you want them reflected in your Okta application, you must delete those groups in SpringCM and create them in Okta. 

Before deleting groups in SpringCM, it is imperative that you review your workflows and other configurations to ensure that they are not impacted by the deletion of a group (e.g., configurations do not contain GUIDs, etc.).

Create an Application Group

  1. Hover your cursor over the Directory menu.
  2. Select the Groups option from the list.
  3. Click Add Group. The Add Group pop-up displays.
  4. Enter a group name in the Name field.
    You can optionally enter a group description for reference purposes.
  5. Click the Add Group button.
  6. Navigate back to the SpringCM application (Applications menu).
  7. Click the Push Groups tab.
  8. Click the Push Groups dropdown menu.
  9. Select "Find Groups by Name".
  10. Enter the group name in the search bar. Groups that are already added will auto-populate so you can select it from the list.

    okta-push-group

  11. Click the Create Group dropdown menu on the Push Groups by Name search results page.
    Note: If the Push group memberships immediately checkbox is checked, once you click Save, your group will push to SpringCM.
  12. Select "Create Group" from the list.
  13. Click the Save button at the bottom of the list.

Authenticate the Application

  1. On the Provisioning tab, leave the default settings on the "To App" step.
  2. Click the API Integration step.
  3. Check the Enable API integration checkbox.
  4. Click the Authenticate with SpringCM button. A SpringCM login window opens.
  5. Enter your SpringCM Super Administrator credentials and click the Log In button. An authentication screen displays with the following message: 
    "Okta would like access to SpringCM on your behalf.
    Requested Access:
    Full access to your SpringCM accounts"
  6. Click the Approve button to authorize Okta to integrate with your SpringCM account. The authenticator window closes and you are returned to Okta's API Integration page. The following message displays when the authentication was successful: SpringCM SCIM 2.0 Test App was verified successfully!
  7. Click the Next button to continue.