Link your Identity Provider - Okta
Learn how to integrate your company's Okta implementation for federated login access into Stax.
Stax integrates with your corporate identity using SAML. This allows you to bring your own identities and identity management controls to the Stax platform. Okta is a cloud identity platform that works well with Stax.
Before You Begin
- Estimated time to complete: 1 hour
- Ensure you are a member of the Admin role in your Stax tenancy
- You need permissions to administer the Okta environment
Prepare the SAML URIs
First, you'll need to determine some URIs. If you're not sure how to get these, simply raise a case in the Stax Console and we'll help you out.
Your <customer-alias> is the same as you enter at the Stax Console login page shown here. Below, it is mega-corp.
Your <installation-id> can be found by reviewing the URL of the login page after you enter your customer alias, as shown here. It's between your customer alias and staxapp.cloud in the URL. Below, it is au1.
Once you've determined your <customer-alias> and <installation-id>, you can form the URIs required for SAML setup:
|SAML 2.0 Service URL||<entity-id>/broker/okta/endpoint||https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/okta/endpoint|
Prepare the Okta Groups
Stax has four roles; admin, Cost & Compliance admin, user, and readonly. You can use Okta to specify these roles at login time. For this purpose, you'll need to create and populate four groups. You can create these groups in your on-premises directory or natively within Okta.
In the examples below, we'll use the following four group names:
- Stax Admins
- Stax Cost & Compliance Admins
- Stax Users
- Stax Read Only Users
See Stax Roles - Stax Permissions for more information on Stax roles.
Once you've prepared the URIs and AD Groups, you can configure Okta.
Log in to the Okta Admin console. Choose Applications from the top nav bar to open the Applications page
Click Add Application then Create New App to open the Create a New Application Integration dialog. Select Web in the Platform drop-down list, and SAML 2.0 as the Sign on method, then click Create
On the General Settings page, give the app a name such as Stax, then click Next
On the Configure SAML page, complete the SAML configuration for the new application:
Parameter Value Example General Single sign on URL The SAML 2.0 Service URL you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master/broker/okta/endpoint Use this for Recipient URL and Destination URL Checked Allow this app to request other SSO URLs Unchecked Audience URI (SP Entity ID) The entity ID you determined earlier https://id.security.mega-corp.au1.staxapp.cloud/auth/realms/master Default RelayState (blank) Name ID format Persistent Application username Update application username on Create and update Attribute Statements (1) Name emailaddress (1) Name format Unspecified (1) Value user.email (2) Name firstName (2) Name format Unspecified (2) Value user.firstName (3) Name lastName (3) Name format Unspecified (3) Value user.lastName
Click Next to open the Feedback page, which you may complete then Finish
Next, you need to configure Okta to send the user's Stax Role across to Stax. From the top nav bar's Directory menu, choose Profile Editor to open the Profile Editor page.
Choose Profile next to Stax User to edit the profile settings for the new application
On the Profile Editor page, under Attributes, choose + Add Attribute to open the Add Attribute dialog
Enter the following values to create the JumaRole attribute:
Parameter Value Data type string Display Name Stax Role Variable Name JumaRole Description Role to send to Stax Enum checked **Attribute members (1) Display Name Admin (1) Value customer_admin (2) Display Name Cost & Compliance Admin (2) Value customer_costadmin (3) Display Name User (3) Value customer_user (4) Display Name Read Only (4) Value customer_readonly Attribute length Between min (blank) max (blank) Attribute required Yes Scope unchecked
Choose Save to complete adding the attribute
Next, you need to assign the role to your four user groups. From the top nav bar, on the Applications menu, open Applications and choose Stax from the list. Choose the Assignments tab. Click Assign and then Assign to Groups to open the Assign Stax to Groups dialog
Find the four Stax groups you created in the list. Next to each, click Assign and choose the appropriate level of permissions for the group
Once you have assigned all the appropriate group/role relationships, choose Done to close the dialog
Finally, download your Okta metadata to provide to us. To get this, from the Applications menu, choose Applications. Open the Stax application configuration and choose the Sign On tab. Click the Identity Provider metadata link to download the metadata file and save it for later
Configure Stax to allow Okta Sign-In
When you're ready to have Stax configured, you simply need to supply us with your Okta metadata, and we'll do the rest for you.
How Do You Know This Worked?
Next time you navigate to your Stax Console login page, on the top, you'll see a new Continue with Corporate ID button. Clicking this button will take you to your Okta sign-in page. Log in on the Okta page and you'll be signed into your Stax tenancy.