Get instant support with our search!
SCIM - Okta Configuration
Table of Contents
1 Purpose
This document outlines the steps required to configure Okta as the Identity Provider (IDP) for a client’s user base. In this scenario, the authentication request source will be the MetaCompliance Azure B2C.
Once configured, all authentication requests on the MyCompliance Cloud portal will be redirected to the client's IDP. Auto user-provisioning is also included as part of the integration between Okta and MyCompliance.
2 Supported Features
The Okta IDP can be used for the following functions:
- Create Users
- Update User Attributes
- Deactivate Users
- Push Groups
3 Requirements
Provisioning of User Accounts/Groups requires an Okta Advanced Lifecycle Management Licence.
4 SSO Configuration
- Navigate to your OKTA instance > Applications > Add Application > Create New App.
- Settings
- Use the supplied PNG file to identify the app.
⚠️ Note: You may wish to hide the MyCompliance app from users by selecting the Do not display application icon to users option.
- The MyCompliance application is SP-initiated; therefore, if a user clicks on the MyCompliance app, it will not log in via SSO.
- An alternative is to use a bookmark with a Domain Hint URL that will bypass the initial login screen at MyCompliance and honour any existing authentication cookies from your IDP.
- The Domain Hint URL can be obtained from your MetaCompliance technical representative.
5 SAML Configuration
a. Single Sign-On URL:
b. Audience URI (SP Entity ID):
- Review the Advanced Settings and ensure they are set as follows:
⚠️ Note: These settings may need to be altered depending on how your users are created or synchronised from AD, etc.
- At this stage, you may preview the SAML assertion to confirm your settings.
- Select Next to complete the SSO configuration.
6 Metadata
To complete the configuration of the MetaCompliance B2C environment and the MyCompliance App, you must provide the following information to your MetaCompliance technical representative:
- Browse to your Okta Instance > Applications, and select MyCompliance from your apps list.
- Select the Sign On tab.
- Within the setting, locate the link: Identity Provider Information.
- You can download the XML metadata file, which contains the necessary certificates, and send this to your MetaCompliance technical representative.
- Alternatively, you can provide the link/URL itself.
- This URL will contain your Instance ID and usually follows the format:
7 User Provisioning
MyCompliance supports the automated provisioning of user accounts via the SCIM protocol. Your Okta Instance may include this functionality, which will remove the administrative effort involved in the upkeep of user onboarding and offboarding.
⚠️ Important: User Provisioning requires an Okta Lifecycle Management Licence.
To enable User Provisioning:
- Go to the MyCompliance application (within Okta) added in the previous steps.
- Click on the General tab, followed by Edit.
- Under the Provisioning setting, select the SCIM radio button.
- Once saved, you will see the Provisioning tab. Select this and click on Edit.
- Enable the settings as shown in the screenshot below.
- The SCIM connector base URL should be entered as follows:
- The Unique Identifier Field for users option should be set to: userName
- Under Authentication Mode, select HTTP Header and enter your Bearer token as supplied by your technical representative.
- Click on Test Connector Configuration. All tests should pass.
- If all tests are successfully passed, save the configuration.
- Then enable Create User, Update User Attributes and Deactivate Users by editing Provisioning to App.
- ⚠️ Note: It is important to ensure sync passwords is not selected.
Modify Attribute Mappings
Before assigning a user to the MyCompliance application, you must now modify the user's Attribute Mappings.
- Navigate to the Provisioning tab from within the MyCompliance App.
- Scroll to the bottom of the page to locate the MyCompliance Attribute Mappings section.
- Remove all attributes except for those in the screenshot below. If these are not removed, users will fail to synchronise.
Manager Field Support
You can also include the Manager field in the list of attributes supported for synchronisation. As per SCIM RFC, this allows you to represent organisational hierarchy by referencing the ID attribute of another user.
- Below, you will find an example of how to obtain the 'externalId' (required by MyCompliance) by using an Okta expression as the value:
- getManagerAppUser("managerSource","attributeSource").externalId
-
Use the Attribute Preview feature in Okta to confirm the expression.
- Below is the Okta documentation on writing Manager Expressions.
- Click here for more information.
- ⚠️ Please note: At this time, Active Directory is the only supported value for managerSource. This is an Okta limitation, not a limitation imposed by MetaCompliance.
- Once the sync options and attribute mappings have been modified, assign the app to users and groups under the Assignments tab.
- Once a user or group has been assigned, the associated user accounts will be synchronised to MyCompliance.
8 Group Provisioning
From the Push Groups tab, you can select groups to be pushed to MyCompliance.
- Pushing groups does not create an account but creates the Group Name in MyCompliance and links each member to that Group.
⚠️ It is important to note that:
- All users must first be assigned to the app within Okta and the account successfully created within MyCompliance.
- You can verify accounts in User Management within MyCompliance before pushing groups.
Once your accounts have been created, you may then push the groups to MyCompliance.
The group can then be used for targeting content with MyCompliance.
In the example below, we have pushed the Finance and Legal groups.