This article goes over how to set up SAML SSO with Okta
Step 1: Log in to Admin console
If you don’t have an Okta account, you need to sign up.
Login to the admin console.
Step 2: Create new App & Integrate to Creative Force
Navigate to Applications / Applications.
Choose Create App Integration, select SAML 2.0 and click Next.
General setting: Input information, then click Next
Configuration SAML to integrate to Creative Force
General:
Single sign on URL: See “SP Assertion Consumer Service Url” in our How to set up Single Sign-On within Creative Force article
Tick: Use this for Recipient URL and Destination URL.
Audience URI (SP Entity ID): See “SP Entity ID” in our How to set up Single Sign-On within Creative Force
Default ReplayState: Copy “RelayState” from SSO - How to setup SSO in CF. Fill in this field if you want to login to CF directly from Okta
Name ID format: Email Address.
Application username: Okta username.
Update application username on: Create and update
Attribute Statements:
Xml namespace | Name format | Okta | Required? |
Unspecified | user.email | Yes | |
Unspecified | user.firstName | No | |
Unspecified | user.lastName | No |
The setting looks like this
Completion
Tick "I'm a software vendor. I'd like to integrate my app with Okta" and Finish.
Step 3 Assign user to integration App
After creating an app, navigate to “Assignments tab”
Click Assign to People or Groups.
Note:
Assigned people need to activated before using SSO login
If you want to create new user, please navigate to Directory > People
Copy Identity Provider metadata url
1. Login to developer admin console of Okta.
2. Navigate to Applications/Applications and choose your App Integration.
3. Choose tab Sign On and copy the link address of "Identity Provider metadata". That’s “Identity Provider metadata URL”
Setup SCIM provisioning on Okta
Notes: Currently, CF SCIM is still only supporting UsersController.
Required: Need to create a custom Okta app and set up SSO on Gamma before.
Step 1: Login to Admin Console
Step 2: Enable provisioning
Navigate to “Applications” > “Applications”
Select your custom app
In the “General” tab, click “Edit” in the “App Settings” block
Tick “Enable SCIM provisioning” and “Save”
Step 3: Setup SCIM
Prepare Creativeforce SCIM token
Login to Gamma
Navigate to “STUDIO SETTINGS” > “SSO SETTINGS”
Copy SCIM BEARER TOKEN
Setup SCIM on Okta
Select tab “Provisioning” (This tab will be showed after enabling SCIM provisioning (Step 1))
In Settings / Integration, click “Edit”
Fill / tick fields by following the below then “Save”
SCIM connector base URL | The SCIM URL |
Unique identifier field for users | |
Supported provisioning actions | Push New Users Push Profile Updates |
Authentication Mode | HTTP Header |
Authorization | *Paste value from step Prepare CF SCIM token* |
After saving the Provisioning settings, in the tab Provisioning:
Select “Settings” > “To App”,
Click “Edit” to set up provisioning to the app.
Tick “Enable” both “Create Users” and “Deactivate Users” then “Save”
SCIM Integration Test on Runscope (Original post)
Step 1: Import Runscope test
Download the Okta SCIM Spec Test Okta SCIM 2.0 Spec Test JSON
If you are new to Runscope, your dashboard displays sample Runscope tutorials. Click Skip Tutorial.
You should now see a screen titled API Tests.
In the lower left of your screen, click Import Test.
A new screen appears, titled Import Tests into …
Select Runscope API Tests as the import format.
Click Choose File and select the JSON file that you saved in Step 1.
Click Import API Test.
Step 2: Custom Runscope
You should be looking at the API Tests window in Runscope, if not, click the Tests tab at the top of the Runscope user interface.
You should see a test that you imported in step 1.
Click Edit on the test panel.
The Test window appears. Under the Environment section of your test, there is a collapsed section labelled Test Settings. Click the small arrow to expand this section.
Select the Initial Variables tab.
Click Add Initial Variable and add the following case-sensitive variables and click Save.
Name | Value |
SCIMBaseURL | The SCIM URL |
auth | Bearer {{SCIM token from Gamma}} |
Select the Initial Script tab and Paste the text into the script console then click Save.
var email = "non-exist-email-address@domain.name"; // the un-existed email address
variables.set("randomEmail", email);
variables.set("randomUsername", email);
variables.set("InvalidUserEmail", "invalid-email-address@domain.name");
variables.set("UserIdThatDoesNotExist", "010101001010101011001010101011");
variables.set("randomUsernameCaps",email.toUpperCase());
variables.set("randomGivenName", "A-random-given-name");
variables.set("randomFamilyName", "a-random-family-name");
variables.set("existedUsername", "exist-email-address@domain.name");