Provision Users and Groups from Okta

Okta is a cloud-based identity and access management (IAM) platform that centralizes user and customer profiles to enhance security and streamline access. It offers features like multifactor authentication, single sign-on, and lifecycle management to help organizations manage user identities effectively.

openZro's Okta integration enhances user management by allowing you to utilize Okta as your identity provider. This integration automates user authentication in your network, adds SSO and MFA support, and simplifies network access management to your applications and resources.

The integration process consists of two stages: first, you’ll set up OpenID Connect (OIDC) to enable Single Sign-On (SSO) from openZro's login page using Okta credentials. Next, you’ll configure SCIM (System for Cross-domain Identity Management) to synchronize users and groups smoothly.

Get Started with openZro-Okta Integration

To set up SSO, go to Integrations in the openZro admin console's left menu to access the Identity Provider integration page. Click the Connect Okta button to get started with the Okta-openZro integration. This will open a pop-up window with detailed instructions on synchronizing openZro and Okta.

Prerequisites

Before you begin the integration process, ensure you have the necessary permissions in Okta. You need an Okta user account with one of the following roles:

• Super Admin
• Org Admin
• Group Admin

To check your user permissions in Okta:

• Log in to your Okta admin dashboard.
• Expand People in the left menu.
• Select your user.
• Navigate to the Admin roles tab.

Confirm that you have one of the required roles before proceeding with the integration.

Installing the openZro Integration

Once you have the necessary permissions, you can set up the openZro application. First, on openZro, click Continue → to show a summary of the necessary steps.

Let's go through them one by one:

• In Okta’s admin dashboard, click Applications in the left menu.
• Select Applications from the submenu.
• Click the Browse App Catalog button.

In the app catalog, enter "openZro" in the search bar. Then, click the Add Integration button.

Accept the default application name and click the Done button. On the next screen, click the Assign dropdown and select Assign to People.

You will see a list of users. Find your user account, click Assign, and save the changes. Verify your user is assigned to the openZro app and click Done.

After that, you will see your user listed in the openZro application.

Configuring SSO in Okta

The next step is to configure Okta-openZro SSO integration.

In openZro, click the Continue → button. A new wizard screen will appear, offering the instructions for retrieving Okta’s OpenID Connect credentials. You can click Close and navigate to Okta.

• Click on the Sign On tab on Okta. Look for OpenID Connect under Sign on methods in the Settings section.
• Copy the Client ID value.
• Copy the Client Secret value.

Store these credentials securely, as you will need them soon.

• Click Edit in the Settings section.
• In Credential Details, change the Application username format from Okta username to Email.
• Click the Save button

• On the top right, click on your username
• Copy your Okta account domain as shown below:

The final step is to send an email to the openZro team with the authentication information you just retrieved:

• Okta Client ID
• Okta Client secret
• Okta account domain
• Okta primary email domain (usually your username)

You will receive an email once the openZro team enables authentication for your account.

This completes the first stage, enabling Single Sign-On (SSO) from openZro's login page using Okta credentials. Now, you can navigate to your-management.example.com and log in using Okta Verify.

Enabling Okta SCIM in openZro

In openZro, go to Integrations > Identity Provider and click on the Connect to Okta button.

You will see a reminder of the permissions your user will require in Okta. Click the Get Started → button to continue.

If you haven't already, you'll need to set up SSO in Okta. If you've completed the previous section, skip this step and click the Continue → button.

The next screen will show you how to enable openZro API credentials in Okta. Copy the value of the Authorization (Bearer) token.

Navigate to the openZro app in your Okta admin dashboard. Click the Provisioning tab, then select Configure API Integration.

Follow these steps:

• Check the box to enable API Integration.
• Enter your openZro API Token.
• Click Test API Credentials to verify the SCIM connection.

If everything works as expected, you'll see the message: "openZro was verified successfully!" as shown below. Click Save to continue.

Configuring SCIM Provisioning to openZro

On openZro, click Continue →. You'll see instructions for configuring SCIM provisioning to openZro.

Back to Okta, click Edit as shown below.

Enable Okta to create, update, and deactivate openZro users by checking the corresponding boxes:

• Create Users
• Update User Attributes
• Deactivate Users

When done, click Save.

Assigning openZro Application to Okta Groups

In openZro, click Continue →, you'll see the steps for assigning the openZro integration to Okta groups.

• Navigate to the Assignments tab.
• Similar than before when you assigned your user to openZro app, click the Assign button
• This time, select Assign to Groups.
• Select Okta groups that you want to assign to the openZro app.

Once you assign the desired groups, click Done. You'll see the selected groups listed in Okta.

Push Okta Groups to openZro

One more time, go to openZro and click Continue →. You'll see the final instructions to push Okta groups to openZro.

• In Okta, navigate to Push Groups tab
• Click the Push Groups button
• Select Find groups by name
• Search for specific groups to push to openZro.

Once you finish, go back to openZro and click Finish Setup. You can verify the synchronization by navigating to Team > Users

The users listed in openZro should match those you created in Okta.