SCIM - Okta Configuration

Table of Contents

1. Purpose

2. Supported Features

3. Requirements 

4. SSO Configuration 

5. SAML Configuration 

6. Metadata

7. User Provisioning

8. Group Provisioning 

 

1 Purpose

This document outlines the steps required to configure Okta as the Identity Provider (IDP) for a client’s user base. In this scenario, the authentication request source will be the MetaCompliance Azure B2C.

Once configured, all authentication requests on the MyCompliance Cloud portal will be redirected to the client's IDP. Auto user-provisioning is also included as part of the integration between Okta and MyCompliance.

2 Supported Features

The Okta IDP can be used for the following functions:

  • Create Users
  • Update User Attributes
  • Deactivate Users
  • Push Groups

3 Requirements

Provisioning of User Accounts/Groups requires an Okta advanced life cycle Management Licence.

4 SSO Configuration

  • Navigate to your OKTA instance > Applications > Add Application > Create New App:

mceclip0.png

  • Settings:

mceclip1.png

  • Use the supplied PNG file to identify the app:

mceclip2.png

*Note: You may wish to hide the MyCompliance app from users by selecting 'Do not display application icon to users'.

  • The MyCompliance application is SP initiated; therefore, if a user clicks on the MyCompliance app, it will not log in via SSO.
  • An alternative is to use a bookmark with a Domain Hint URL which will bypass the initial login screen at MyCompliance and honour any existing authentication cookies from your IDP.
  • The Domain Hint URL can be obtained from your MetaCompliance Technical Representative.

5 SAML Configuration

a. Single sign-on URL:

b. Audience URI (SP Entity ID):

mceclip3.png

  • Review the 'Advanced Settings' and ensure they are set as follows:

mceclip4.png

mceclip5.png

*Note that these may need to be altered depending on how your users are created or synchronised from AD etc.

  • At this stage, you may preview the SAML assertion to confirm your settings.
  • Select Next to complete the SSO configuration.

mceclip7.png

6 Metadata

  • To complete the configuration of the MetaCompliance B2C environment, and the MyCompliance App, it is required that you provide the following information to your MetaCompliance Technical Representative.
  • Browse to your Okta Instance > Applications, and select MyCompliance from your apps list.

mceclip8.png

  • Select the 'Sign On' tab.
  • Within the setting, you will find a link – ‘Identity Provider Information’.
    • You can download the XML metadata file, which contains the necessary certificates, and send this to your MetaCompliance Technical Representative, or alternatively, you can provide the link/URL itself.
  • This URL will contain your Instance ID and usually has the following format:

mceclip9.png

7 User Provisioning

  • MyCompliance supports the automated provisioning of user accounts via the SCIM protocol. Your Okta Instance may include this functionality, which will remove the administrative effort involved in the upkeep of user onboarding and offboarding.
  • It should be noted that the User Provisioning functionality requires a life-cycle Management Licence from Okta.

To enable User Provisioning, please follow the below instructions.

  • Go to the MyCompliance application (within Okta) that was added in the previous steps.
  • Click on the 'General' tab, followed by Edit.

mceclip10.png

  • Under the 'Provisioning' setting, select the 'SCIM' radio button, as below.

mceclip11.png

  • Once saved, you should now see the 'Provisioning' tab. Select this, and click on Edit.

mceclip12.png

  • Enable the settings as in the below screenshot.
    • The 'SCIM connector base URL' should be entered as follows:
      • https://scim.metacompliance.com/scim/okta/uniqueguidassupplied
    • The 'Unique Identifier Field for users' option should be set to userName.
    • Under 'Authentication Mode', select HTTP Header and enter your 'Bearer token' as supplied by your technical representative.

mceclip13.png

  • Click on Test Connector Configuration. All tests should pass.

mceclip14.png

  • If all tests are successfully passed, you can then Save the configuration.
    • Once saved, you should then enable the Create User, Update User Attributes and Deactivate Users selections by editing the 'Provisioning to App'.
    • It is important to ensure 'sync passwords' is not selected.

mceclip0.png

  • Before assigning a user to the MyCompliance application, you must now modify the user 'Attribute Mappings'.
  • To do this, enter the 'Provisioning' tab from within the MyCompliance App, and scroll to the bottom of the page where you will see 'MyCompliance Attribute Mappings' section.
  • You will need to remove all attributes except for those in the screenshot below. If these are not removed, the users will fail to synchronise.

mceclip1.png

mceclip2.png

  • As of April 2021, you may now include the 'Manager' field in the list of attributes supported for synchronisation. As per SCIM RFC, this allows you to represent organisational hierarchy by referencing the ID attribute of another user.
  • Below, you will find an example of how to obtain the 'externalId' (required by MyCompliance) by using an Okta expression as the value:
    • getManagerAppUser("managerSource","attributeSource").externalId

mceclip3.png

  • You should use the 'Attribute Preview' feature in Okta to ensure you have the correct expression. Below is the Okta documentation on writing Manager Expressions. Click here for more information.
  • Please note that, at this time, Active Directory is the only supported value for managerSource. This is an Okta limitation; not a limitation imposed by MetaCompliance.
  • Once the sync options and attribute mappings have been modified, you may assign the app to users and groups under the 'Assignments' tab.
  • Once a user or group has been assigned, the associated user accounts will be synchronised to MyCompliance.

mceclip4.png

8 Group Provisioning

  • From the 'Push Groups' tab, you can select groups to be pushed to MyCompliance.
    • Pushing groups does not create an account, but creates the Group Name in MyCompliance and links each member to that Group.
  • It is important to note that all users must first be assigned to the app within Okta, and the account successfully created within MyCompliance. You can verify that your accounts have been created by checking the 'User Management' section within MyCompliance.
  • Once your accounts have been created, you may then push the groups to MyCompliance.
  • The Group can then be used for targeting content with MyCompliance.
    • In the example below, we have pushed the Finance and Legal groups.

mceclip5.png

Back to all articles