Contents x
Installing and Configuring the Okta Module
  • 09 Oct 2024
  • 5 Minutes to read
  • Print
  • Dark
    Light
Contents

Installing and Configuring the Okta Module

  • Updated on 09 Oct 2024
  • 5 Minutes to read
  • Print
  • Dark
    Light
Article summary

Module Details

Core or Github ModuleCore Module
Restart Required No 
Steps ExposedYes
Step Location Integration > Okta
Settings Location Settings > Okta Settings
Prerequisites
  • A preexisting Okta Account.
  • An Okta Subdomain or URL.
  • Proper installation of both SAML and Okta Modules. To learn how to install a module, see Installing Modules.
  • The Okta Module is located under System > Security > Identity Providers
  • A Project dependency is NOT required.

The Okta Module allows Decisions to integrate with Okta and adds new Okta-specific steps. This lets Decisions create and modify Okta accounts through Flows created in Decisions, along with enabling single sign on (SSO).

The Okta Api Token can be retrieved from Okta's platform by navigating to Security > API > Tokens > Create Token. The Okta module uses the SAML module therefore changing the Okta settings actually passes the values through to the SAML setting. Okta is a single specific provider whereas SAML is the protocol that is used by hundreds of different providers.

This will require appropriate technical resources on the client's side to be able to implement. It is recommended to have someone with experience available to streamline the process.  The support team is available to help, but may not be able to answer questions or solve problems that are unique to a user's company.


Note that unlike most modules in v9, Okta and other identity provider modules can be found and installed from System > Security > Identity Providers.

Settings Configuration (Okta)

1. Create a new application. Select SAML 2.0.

2. After the app is created configure the endpoints.

For this screenshot an example SSO URL is used. Users should follow one of two templates depending on if they are self-hosted or IIS hosted.

For self-hosted installation use this template: [base]:[port]/SAML/AssertionConsumer 

For IIS installations use this template: [base]/{virtual directory}/SAML/AssertionConsumer


3. The Attribute Statements and Group Attribute Statements are optional and do not need to be filled out. 


4. Options on tab 3 Feedback do not affect Decisions integration.

Settings Configuration (Decisions) - OKTA MANAGEMENT SETTINGS

The Okta Settings within Decisions have two components - OKTA MANAGEMENT SETTINGS and OKTA SSO SETTINGS

Once Okta setting are configured within Decisions, the SAML module will also be updated.

  1. Navigate to System > Settings. Click Okta Settings and select Edit.

  2. On the Edit Okta Settings window, add the Okta Subdomain or URL and Okta Api Token. After configuring all necessary options, click SAVE. Everything under OKTA MANAGEMENT SETTINGS is used for the Okta Sync Flows that come with the module. This section is not required for the SSO Login process.
    SettingDescription
    Okta Subdomain or URLThe Okta Subdomain or URL used to return SSO requests. 
    Okta Api TokenThe Okta API Token used to authenticate requests. 
    Sync Okta User FlowA Flow designed with the Okta Sync User Flow behavior used to sync and create new Decisions accounts based on data retrieved from Okta. 
    Sync Okta Group FlowA Flow designed with the Okta Sync Group Flow behavior used to sync and create new Decisions groups based on data retrieved from Okta. 
    Sync Only Chosen GroupsSyncs only specific groups retrieved from Okta. The group list will display after the other settings are complete.
    EnabledIf enabled, allows SSO settings to be defined for the Okta integration. These settings will overwrite the settings defined in the SAML module.

OKTA SSO Settings

1. Check the “enabled” checkbox. This will display the settings. 

2. Enable “Quick Configuration with Metadata”. This will allow the use of a meta URL from Okta to get the configuration data automatically. 

  1. In Okta, navigate to the Application. Go to the “sign-on” tab.
  2. Right click the “Identity Provider Metadata” link and copy the link. Paste that into the Metadata URL field.


3. Fill out the following settings:

SP Issuer ID: This will be the "audience URL (SP entity ID)" from the Okta Application Setting within Okta. This must match exactly.

Name ID Format: By default this will be set to Email. If using persistent/transient then change that from the drop down. This will be the "Name ID Format" setting from the Application Setting on Okta.

The Okta module adds four Flows to the System > Designers > System Defaults folder. Three of them are Subflows used in the Flow Sync Okta Users, Groups, and Roles. Setting the Sync Okta Users, Groups, and Roles to be a scheduled job daily is highly recommended. This will keep accounts in Okta and Decisions coordinated without extra work.

Step NameDescription
Activate UserActivates an Okta user account synced to Decisions.
Add User To GroupAdds an Okta user account to a defined Okta group.
Create GroupCreates a new group within Okta
Create UserCreates a new Okta user account
Deactivate userAllows the deactivation of an Okta user account.
Expire User Password
Allows an Okta user account's password to be expired. The user will need to reset their password at the next login.
Get All Deprovisioned UsersRetrieves all of the Okta user accounts in the deprovisioned state.
Get All GroupsRetrieves all the Okta user groups available
Get All UsersRetrieves a list of all available Okta users.
Get Custom Attribute From UserRetrieves attributes from Okta user accounts. Attributes are found under the user account profile page on Okta and include personal information like name, title, phone number, and more. Custom attributes can be assigned to an Okta user account through Decisions during theCreate User Step.
Get Group By IdRetrieves an Okta group based on its id. The Okta group id can be found in the System Log section of a group.
Get Group By NameRetrieves an Okta group according to its name in Okta.
Get Groups For UserRetrieves the Okta groups that a particular Okta user is assigned to.
Get Groups To SyncCreates a list Okta groups that the user would like to sync between servers.
Get Sync Group Flow IdProvides the user with the flow id for the flow in which a group of Okta accounts will be synced.
Get Sync User Flow IdGives the user the Flow Id (in GUID format) of the flow that is syncing Okta user accounts.
Get User By IdWill retrieve an Okta user account based on its id.
Get User By UsernameWill retrieve a user by their Okta username.
Get Users In GroupWill retrieve all of the Okta user accounts within a specified Okta group.
Remove User From GroupRemoves a desired Okta user from an Okta group they belong to.
Reset User PasswordCauses an Okta user account's password to be reset.
Should Sync Okta Group
A preset rule that can be used to determine if an Okta user group should be synced between the user's servers.
Should Sync Okta User
A preset rule that can used used to determine if an Okta user account needs to be synced between servers.
Suspend UserCauses a chosen Okta user account to be suspended.
Unlock UserCan be used to unlock Okta user accounts that are in the locked state.
Unsuspend UserSuspended Okta users will be unsuspended.
Update Group
Allows the user to update the description and name of an Okta group of user accounts.
Update User
Allows an Okta user account to have its various attributes changed. This can include the user password, email, and contact information.


Was this article helpful?
What's Next
Decisions
Resources
Organization
Connect