- October 12, 2021: Added directory to sections.
- June 21, 2019: Published.
The current Okta Catalog Connector is deprecated, as the endpoints are now different. Please see Getting started (Custom) in the documentation below.
- About SAML with Okta
- Getting Started
- Basic SAML Configuration
- User and Attribute Claims
- Downloading and Uploading Metadata
- Single Sign-On Setup Using SAML
- User Creation with SAML Enabled
- Disabling SAML
- Optional Attributes (Not Required)
About SAML with Okta
This document is the overview and steps to integrate the Bitsight platform with Okta. At this time, a Bitsight catalog application for Okta is available and is searchable by simply adding a new application and searching for “Bitsight.” The steps below will outline how to integrate the Bitsight platform with Okta, using an additional custom connector, should the need for additional attributes arise. The purpose of this documentation is to integrate Okta and the Bitsight platform if the need for roles and groups are required.
Getting Started
Catalog App
To get started, navigate to your Admin instance on the Okta dashboard.
When in the dashboard take the following steps:
- Applications
- Search Application
- Bitsight - Add
- Audience Restriction = https://service.bitsighttech.com/saml/metadata/
- Save
Custom Application
To get started, navigate to your Admin instance on the Okta dashboard.
When in the dashboard take the following steps:
- Applications
- Create New Application
- Platform = Web - New Application = SAML 2.0
Basic SAML Configuration
- Single Sign on URL = https://service.bitsighttech.com/saml/acs/GUID
- Audience URI (SP Entity ID) = https://service.bitsight.com/saml/GUID
- Name ID format = emailAddress
- Application username = email
Your unique identifier can be found in your account under the SAML settings URLs.
Detail | Contents |
---|---|
Identifier (Entity ID) | https://service.bitsight.com/saml/GUID |
Reply URL (Assertion Consumer Service URL) | https://service.bitsighttech.com/saml/acs/GUID |
User and Attribute Claims
When entering the user an attribute claims you must select URI. Attribute Statements (optional) the first name space will be urn:oid:0.9.2342.19200300.100.1.3 - URI refrence - Value = user.email.
- Enter the claim name for given name and replace with urn.oid.2.5.4.3 mapped to user.firstName
- Enter the claim name for last name and replace with urn.oid.2.5.4.4 mapped to user.lastName
Claim Name | Value |
---|---|
urn:oid:2.5.4.3 | user.firstName |
urn:oid:2.5.4.4 | user.lastName |
urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
Although not required for this integration, you can specify additional attributes as outlined in Optional Attributes (Not Required).
Downloading and Uploading Metadata
Once you have configured and saved the steps above you can now download the metadata XML from Okta and upload this to the Bitsight SAML self-service portal.
- Select Download Metadata XML from your Okta portal, under the “SAML Sign on Settings” category.
- On the Bitsight platform, navigate to the SAML page [Settings ➔ SAML].
- Find Section labeled “SAML Metadata for your IdP.” Select Load from URL.
- Open the file Downloaded from Step 1.
Optional Attributes (Not Required)
These are additional attributes that can be specified. They are not required for this integration using Okta. These items are optional only.
Full Name. This can be specified in place of the last name field if the user's name is not of the form, “Firstname Lastname.”
Name | Name Format | Value |
---|---|---|
urn:oid:2.16.840.1.113730.3.1.241 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | Full Name |
User Role. This specifies the user's role in the Bitsight platform. This field is optional (in which case the user's role will be a standard user role, or left unchanged). Otherwise it must be one of these strings:
Ensure the string values are an exact match, including the spaces.
- Customer User
- Customer Admin
- Customer Group Admin
- Customer Portfolio Manager
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.2 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | User Role |
User Group. This specifies the user's group. If the group does not already exist, it will be created (and will be empty initially). If this is not specified, then the customer's default group is used.
Name | Name Format | Value |
---|---|---|
urn:oid:1.3.6.1.4.1.50993.1.1.1 | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | User Group |