Single Sign On Authentication (OKTA)

WorkForce Identity (OKTA) <- -> Customer Identity Platform Setup

Overview

The Workforce Identity platform (client) needs to set up an OIDC (OpenID Connect) Application and SWA (Secure Web Authentication) to enable Single Sign-On (SSO). Once done, users can log in easily and securely through the Workforce Identity platform.

Step 1: Create an OIDC Application (Client Side)

  1. Open the Create App Integration modal, select OIDC, choose Web Application, and click Next.

  2. In the Sign-in Redirect URI section, add: https://{{Auth_Domain}}/login/callback.

  3. In Trusted Origin Base URI section add https://{{Application_Domain}}

  4. Once the application is created, share the Client ID and Client Secret with iMerit.

Step 2: Customer Identity Platform (iMerit Side)

Using the following details from the previous step, iMerit will create an Enterprise Workforce Connection and provide the {{Connection_URL}} and {{Bearer_Token}},Client can then use these information to set up SCIM provisioning configuration in step 3.

  • OIDC App Client ID

  • OIDC App Client Secret

  • Okta Domain

Step 3: Steps to Create an SWA Application (Client Side)

  1. Click on New Application, select SWA Application.

  2. Give an app name, suitable app url as https://{{Application_Domain}}, upload an image.

  3. Save the application.

Configure SCIM Provisioning

  1. In the General tab, under App Settings, set Provisioning to SCIM, then click Save.

  2. A new Provisioning tab will appear. Open it and:

    • Enter the SCIM Connection URL as {{Connection_URL}}provided by iMerit team.

    • Set Unique Identifier Field for Users to "userName".

    • Enable "Push New Users" and "Push Profile Updates".

    • Set Authentication Mode to "HTTP Header".

  3. In the HTTP Header section, under Authorization add the{{Bearer_Token}}provided by iMerit team.

  4. Test the connection. If it works, click Save to update the changes.

Enable Provisioning

  1. Go to Provisioning > To App tab.

  2. In the Settings section, edit and enable the following:

    • Create Users

    • Update User Attributes

    • Deactivate Users

Configure Attribute Mapping (Optional)

  1. In App Attribute Mapping, just make sure below fields are available

    • Email

    • First Name

    • Last Name

    • Username

Enabling OKTA in iMerit Platform

  1. Authenticate User as mention in the document https://docs-old.imerit-prod.io/getting-started/client-onboarding/email-authentication

  2. Add the user to the SWA application first, then to the OIDC application. The user can then log in via OKTA.

References:

https://auth0.com/docs/authenticate/protocols/scim/inbound-scim-for-okta-workforce-connections https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/okta

PreviousClient OnboardingNextEmail Authentication

Last updated