Single Sign On (SSO) using Okta

Overview

Single sign-on (SSO) is an authentication scheme that enables users to use a single ID and password combination to log into multiple platforms, services, or systems.

Cloudchipr supports SSO and is compatible with any SAML 2.0-compliant SSO provider, including:

• Okta
• Microsoft Azure Active Directory

💡

This is a feature for enterprise customers and as such may not be available when you attempt to access it. If you would like access, please get in touch.

To enable SSO, it is necessary to have either an owner or admin role within your Cloudchipr organization.

Enable SSO for Cloudchipr using Okta

To configure SSO for Cloudchipr using Okta, follow these steps:

Create Application

1. In Okta, navigate to the Admin dashboard and click Applications.
2. On the Applications page, click Create App Integration.

3. In the modal that appears, select the SAML 2.0 radio button and click Next.

4. Enter a name for the app. For easier recognition, you can also upload a logo to go with it. Then click Next.

Create SAML Integration

5. Next, you'll configure your SAML settings. Copy the Single sign-on URL and Audience URI (SP Entity ID) from Cloudchipr, and paste them into the matching fields in Okta.

You can find the Single sign-on URL and the Audience URL (Entity ID) in Cloudchipr, under  > ⚙️ Settings > Account Security & SSO > Enable Okta

6. Add Attribute Statements (This helps to map necessary Okta values to Cloudchipr application)

   1. organization_id can be found in Cloudchipr UI, in the Settings → Account Security section when you hit Enable in Okta, you can see your Organization ID

      Name	Name format	Value
      email_verified	Unspecified	true
      role	URI Reference	appuser.role
      group_role	URI Reference	appuser.group_role

   It should look like below:

   

7. Select Next

8. Choose the following options:

9. Click on Finish

Setup per user custom attributes

1. In the Admin Console, go to Directory > Profile Editor.
2. Choose your application.
3. Click Add Attribute
4. Fill in the following fields on the opened page
   1. Data type: choose string
   2. Displal name: Role
   3. Variable name: role
   4. Attribute members: Ensure you use the exact values listed in the table below

5. Click Save

It should appear as below.

Setup per Group custom attributes

1. Click Add Attribute again to add Group custom attributes
2. Fill in the following fields on the opened page
   1. Data type: choose string
   2. Displal name: Group Role
   3. Variable name: group_role
   4. Attribute members: Ensure you use the exact values listed in the table below
   5. Attribute Type: choose Group

Attribute members

5. Click Save

It should appear as below.

Assign the necessary roles to users

Within your Okta Application, assign the right roles to the users as in the example below:

Retrieve your SAML2.0 configurations from Okta and set in Cloudchipr.

1. In your Okta Application view, Go to the Sign On Tab

   

2. Scroll down and click View SAML Setup Instructions on the right side

   

3. Please ensure to gather and save the following two pieces of information from the instructions page:

   • Identity Provider Single Sign-On URL: This is the first entry on the page. You will need this URL later for authentication purposes when connecting to Cloudchipr with Okta.
   • IDP Metadata XML File: Navigate to the bottom of the page and locate the section titled "Provide the following IDP metadata to your SP provider". Here, you will find an XML file. Please copy this file as it is necessary for setup.

17. In the Cloudchipr UI, navigate to the "Enable Okta" section and insert the copied XML file into the XML Metadata field. Then, click on Enable to activate the integration.

After activation, a notification confirming a successful Okta connection will appear in the bottom right corner of the screen.

📘

All currently invited users will be deleted except the owner. Therefore, ensure you ask your Okta admin to re-invite them through Okta and inform them that authentication will be through Okta.

Enable Sync user profiles using SCIM

• Navigate to Cloudchipr > Settings > Security
• Copy SCIM Endpoint URL and Bearer Token

Configure SCIM in Okta Workforce for SAML Apps

1. Go to your Okta Workforce Identity SAML application, select the General tab, then choose Edit for App Settings.
2. In the Provisioning section, select SCIM and then Save.
3. Under the General tab, confirm that Federation Broker Mode is disabled.
4. Select the Provisioning tab, then go to the Integration tab and select Edit.
5. Enter the SCIM Endpoint URL value you copied earlier into the SCIM connector base URL section.
6. For a Unique identifier field for users, enter userName.
7. Under Supported provisioning actions, select Push New Users and Push Profile Updates, then choose HTTP Header as the Authentication Mode.
8. Paste the SCIM token into the Authorization field, then select Test Connection Configuration to test the new connection. Select Save.

9. Browse to Provisioning > Settings > To App and choose Edit, then enable the Create Users, Update User Attributes, and Deactivate users operations. Select Save.

10. 

    On the same page, under the Attribute Mappings section, use the X button to delete the following lines:

Configure Cloudchipr application role mapping

Add group attribute to the application

1. Go to Directory -> Profile Editor and edit Cloudchipr application
2. Click on Add Attribute button and add attribute as described below

   1. Data Type -> String

   2. Display Name -> Group Role

   3. Variable Name -> group_role

   4. External Name -> roles.^[type=='group_role'].value

   5. External namespace -> urn:ietf:params:scim:schemas:core:2.0:User

   6. Check the checkbox on Enum and add following values for it:

      Display Name	Value
      Owner	owner
      Super Admin	super_admin
      Admin	admin
      Viewer	viewer
      Billing Admin	billing_admin
      Billing Explorer Admin	billing_explorer_admin
      Viewer Protector	viewer_protector
      Workflow Resources Protector	workflow_resources_protector

   7. Attribute Type -> Group

3. Click on Save button to save the attribute

Add user attribute to the application

1. Go to Directory -> Profile Editor and edit Cloudchipr application
2. Click on Add Attribute button and add attribute as described below

   1. Data Type -> String

   2. Display Name -> User Role

   3. Variable Name -> user_role

   4. External Name -> roles.^[type=='user_role'].value

   5. External namespace -> urn:ietf:params:scim:schemas:core:2.0:User

   6. Check the checkbox on Enum and add following values for it:

      Display Name	Value
      Owner	owner
      Super Admin	super_admin
      Admin	admin
      Viewer	viewer
      Billing Admin	billing_admin
      Billing Explorer Admin	billing_explorer_admin
      Viewer Protector	viewer_protector
      Workflow Resources Protector	workflow_resources_protector

   7. Attribute Type -> Personal

3. Click on Save button to save the attribute

Create application assignment

The following steps are described for group assignment, but the same steps are valid for user assignments as well, where the only difference will be setting a value for User Role instead of Group Role.

1. Go to Applications -> Cloudchipr application

2. Click on Assign -> Assign to Groups

   

3. Select the group and click on Assign

   

4. Scroll down the attributes to Group Role and choose the role and save

   

You can now test user provisioning in the Assignments tab and test update operations by editing the user attributes in the Directory > People section of your Okta admin portal.