Configuring SSO for Stax Cost & Compliance - Okta
Learn how to integrate your company's Okta implementation for federated login access into Stax's Cost & Compliance module.
Stax's Cost & Compliance module integrates with your corporate identity provider using OpenID Connect (OIDC). This allow you to bring your own identities and identity management controls to the Stax Cost & Compliance module. Okta is a cloud identity platform that works well with Stax.
Before You Begin
- Estimated time to complete: 1 hour
- You need permissions to administer the Okta environment
- You must decide whether you wish for all users at your email domain (firstname.lastname@example.org_) to use SSO, or whether users should be required to access the trigger URL to invoke SSO
Prepare the OIDC URLs
First, you'll need to determine some URLs. These must be generated by the Stax Support team for you. Please raise a support case to have the URLs generated. You'll be provided two URLs:
- A callback URL that looks like this:
- A trigger URL that looks like this:
- Log in to the Okta Admin console. Choose Applications from the top nav bar to open the Applications page
- Click Add Application then Create New App to open the Create a New Application Integration dialog. Select Web in the Platform drop-down list, and OpenID Connect as the Sign on method, then click Create
- On the General Settings page, give the app a name such as Stax Cost & Compliance, then click Next
- When prompted for Login redirect URIs, add the callback URL provided to you by Stax Support
- Edit the Application's General Settings, and change the Initiate login URI to the trigger URL provided to you by Stax Support
- On the Assignments tab, configure who from your organization should be able to access the Cost & Compliance module
- Review the Client Credentials portion of the Application and record the Client ID and Client secret values
- Review the Sign on panel and record the Issuer value
Configure Stax Cost & Compliance Module to Allow Okta Sign-In
Provide Stax Support with the Client ID, Client secret, and Issuer values you recorded earlier. These are required for Stax to enable SSO for the Cost & Compliance module. You should also let us know if you'd like for SSO to be enabled for your entire email domain (e.g. anyone with an email address ending in email@example.com_), or whether users should be required to access the trigger URL to invoke SSO.
How Do You Know This Worked?
Next time you navigate to the trigger URL or provide your email address at the Stax Cost & Compliance module login page (in the case of email domain-wide enablement), you'll be redirected to Okta to prove your identity.
Additional Configuration (Optional)
Enable login from the Okta dashboard
If your users use the Okta dashboard as a landing page to access corporate applications, you can enable Stax Cost & Compliance module logins here as well. Open the application's settings page in Okta. On the General tab, within the General Settings section, click Edit. Configure the Application Visibilty setting to the value Display application icon to users.