Okta
Last updated
Last updated
After logging in to your Pipekit account, you can enable SSO for your Organization. This will allow members of your Organization to authenticate with Okta and will prevent them from using alternative authentication methods.
Warning: Enabling Okta SSO will prevent users in your Organization from being able to log in using alternative methods (for example username/password or a social login).
Navigate to your Org and click on "Identity Providers".
Select "Add Okta Provider".
Enter the domain you use to authenticate with. This is typically the domain you use for your Organization's email addresses.
Click "Add Provider"
You will then be provided with some unique URLs that you need to add to an Okta application.
Navigate to your Okta Admin Dashboard and create a new app integration under the Applications menu.
Choose SAML 2.0 and click "Next".
Under "General Settings", type an appropriate App Name, we recommend "Pipekit".
You can add if you wish.
Click "Next".
Under "SAML Settings", enter the following:
Single sign on URL: The Single sign-on URL (ACS) provided by Pipekit.
Ensure "Use this for Recipient URL and Destination URL" is checked.
Audience URI: The Audience URI (SP Entity ID) provided by Pipekit.
Set the following attribute statements:
firstName -> Name format: Basic -> user.firstName
lastName-> Name format: Basic -> user.lastName
email -> Name format: Basic -> user.email
Click "Next" and click "Finish".
Copy the Metadata URL from the "Sign On" tab.
Go back to Pipekit and paste the Metadata URL into the "Metadata URL" field on the next screen.
Alternatively, you can expand the "More Details" dropdown in the "Sign On" tab to reveal the values required for the "Try another way" option in Pipekit.
Copy the Sign on URL, Issuer and Certificate values into their respective fields in Pipekit.
Click "Submit".
Pipekit supports SCIM for syncing groups from Okta.
Navigate to the Groups tab under your Organization in Pipekit.
Click "Configure SCIM".
Copy the "SCIM Endpoint URL" for later.
In Okta, edit the app settings of your Pipekit Application under the General tab.
Enable SCIM provisioning and save.
Go to the Provisioning tab and paste the SCIM Endpoint URL into the SCIM Connector Base URL field.
On the same screen, set the Unique Identifier Field for Users to email.
On the same screen, check the following under Supported Provisioning Actions:
Push New Users
Push Profile Updates
Push Groups
On the same screen, set the authentication mode to "HTTP Header".
Generate a new SCIM token in Pipekit and copy it.
Go back to Okta and enter the SCIM token you generated into the Authorization header field.
Test the connection and save.
Go to the Provisioning tab in Okta and go to Provisioning to App. Click Edit.
Enable the following and then save:
Create Users
Update User Attributes
Deactivate Users
Warning: All groups are given Admin permission in Pipekit by default. This is to ensure that you still have the required permissions to manage your organization. If you want to change the permission level, you can do so after the group has been created in Pipekit.
Wait for the push group status to change from Pushing to Active.
Navigate back to Pipekit and refresh the Groups tab. You should now see your group from Okta.
You can change the permission level by clicking on the cog on the group and selecting a different permission level.
In the Users tab, you should see the users from your Okta group.
If you wish to disconnect Pipekit from Okta:
Navigate to your Org and click on "Identity Providers".
Click on Delete Okta Provider and confirm.
Disconnecting Okta will prevent any users in your Organization from logging in using Okta. This may include your own user. Contact Pipekit support if you need help with this.
Follow the to assign both push group(s) and assignment group(s) or users to the Pipekit application to push groups and users respectively.
