Integrate PingFederate with Okta
Level: Eptura Implementation team / Customer IT team
Eptura supports the integration with PingFederate and this article details how to configure the SSO. This article is written for Administrators and assumes familiarity with Ping and basic identity management concepts.
Contents
- Prerequisites
- Step 1. Integrate PingFederate with Okta
- Step 2. Sign in Eptura using a SSO user (Customer Team)
- Step 3. Integrate SCIM with User Directory (Customer Team)
- Step 4. User Access to Eptura Applications
Prerequisites
Before configuring SCIM-based provisioning for Eptura, make sure you have Okta configured an IdP connection on PingFederate to enable the SSO login. Additionally, your Super Admin must be defined in the Okta with their First Name, Last Name and Email Address properties completed.
Step 1. Integrate PingFederate with Okta
Below are the steps for PingFederate integration.
Step 1.1 Register Web App on Okta for Ping Federate (Customer Team)
- Log in to your Okta Admin Console.
Create a new OIDC application
- Navigate to Applications > Applications.
- Click the Create App Integration button.
The Create a new app integration dialog displays.
- For the Sign-in method, select OIDC - OpenID Connect option.
- For the Application Type, select the Web Application option.
- Click the Next button and the New Web App Integration displays.
- Complete the following:
- App integration name - Enter a name for your PingFederate integration. For example eptura-ping-app-dev
- Grant type - Make sure that the Authorization Code is selected.
- Sign-in redirect URIs - Enter the Redirect URI from PingFederate later.
- Assignments - Select the Allow everyone in your organization to access option.
Assign the application to appropriate users or groups
You have the option to assign users and groups during the creation of the WebApp, or after you have created the WebApp.
- The Allow everyone in your organization to access option lets you assign all users to this app. We recommend you have Federation Broker Mode enabled.
- For selected user, you can select the Limit access to selected groups option and then select groups to be assigned if they have been created.
- If you select the Skip group assignment for now option, then you can assign users or groups after creation of WebApp and the process for this is below.
- Click the Save button.
Copy the following and paste this into a text editor as we will use this later in the steps. This information will be used in the PingFederate configuration.
- Client ID
- Client Secret
- Okta domain
- Authorization server information (you may need to create or select an authorization server)
Create Access Policy in the selected Authorization server
- Navigate to Security > API.
- Click default.
The default displays.
- Click the Access Policies tab.
- Click the Add Policy button and the Add Policy dialog displays.
- In the Name field, enter a descriptive name for this policy.
- In the Description field, enter a short description.
- Click the Create Policy button.
- Click the Add rule button and the Add Rule dialog displays.
- In the Rule Name field, enter a descriptive name for this rule.
- Use the default settings.
- Click the Create rule button and the rule is saved.
Step 1.2 Create Idp Connection on PingFederate (Implementation Team)
This step is performed by the Eptura Implementation Team.
Provide the IdP Connection Redirect URI to the customer.
Step 1.3 Set Ping result URI in Okta Ping application (Customer Team)
You will need to configure the Redirect URI in your Okta Web App.
- Log in to PingFederate App.
- From the top menu, click Authentication.
- From the left menu, click Policies > Selectors.
- Select the HttpRequestDomainSelector.
- Click the (A) Selector Result Values tab displays.
- In the result values (B) enter the User’s email domain.
- (C) Click the Add button.
- Click the Save button.
Next, you will find the domain in a policy and define what will happen if a login attempt to that domain fails or succeeds.
- From the left-menu, click the Policies.
- Scroll down to the policy.
- Click the DomainSelectorPolicy.
- Scroll down and under the HttpRequestDomainSelector there will be a list of the existing domains.
- Locate your domain and click the drop-down.
- From the drop-down, select the IdP Connection.
- Either browse the list or search for your domain name.
- Select the domain name.
- Next, complete the Fail and Success for your connection.
- For Fail, click Done and this is set to Done.
- For Success, click Done and this is set to Done.
- Click the Save button.
Step 2. Sign in Eptura using a SSO user (Customer Team)
Learn how to sign in to Eptura - Authentication Methods using an SSO user or using Form Authentication where your user was created manually.
Step 3. Integrate SCIM with User Directory (Customer Team)
Your IdP gets connected to the SCIM service, using the SCIM URL and SCIM token. When connected, the SCIM service will automatically import all user accounts that are in the your IdP. The attributes of the users in you IdP need to be mapped to SCIM. After the initial synchronization, additional synchronizations happen on a schedule of every 40 minutes. See the article, Configure SCIM provisioning for Okta
Step 4. User Access to Eptura Applications
Users created in Microsoft Azure are synchronized to Eptura as a person, you can change the access the user has to the Eptura's Product Applications, see Add, Edit, or Delete a Group.