Connect an Okta Directory to Tonkean with SCIM

  • 3 December 2021
  • 0 replies
  • 38 views

 

This guide will show you how to provision users and groups from Okta in Tonkean. Note that this walkthrough assumes you already have an Okta directory up and running.

If you don’t already have an Okta account, create one here.

 

Create an Application

To connect to Okta from an external service, we need to configure an application. For now, this is a manual process, but we hope to streamline it in the future so the configuration will already be dealt with.

To create an application, open the Applications tab on the right side panel.

If you have any applications connected, you’ll have them listed here. We need to create a new one, so click Browse App Catalog.

In the search field, enter “SCIM 2.0 Test App (Header Auth)” and click on this option in the dropdown when it appears.

You’ll see the following screen. Click Add.

In the screen that appears, you can configure a custom name for the application. We recommend using the name of the project you’re going to connect the application.

You can leave the rest as-is.

Click Next.

The next screen allows you to configure how users can log in to you application. We are only interested in provisioning, not authentication, so we can scroll to the bottom and click Done.

Our application is connected. Now, we need to configure the API integration.

Go to the Provisioning tab in the Applications page, and click Configure API Integration.

Click Enable API integration.

In the Base URL field, enter the URL of the server you wish to use, suffixed with /scim/v2. You can find it in the Identity Provider tab in your board’s settings.

Now, we need to generate an API token. This can also be done in the Identity Provider tab. Click Create New Provider at the bottom. In the modal that pops select the provider’s type and its display name, and click Generate Token.

After clicking you will be presented with an authentication token. Copy it with the Copy button.

This will be the last time you can view the decrypted token, so save it somewhere safe if you need to reference it later.

Return to Okta and paste the token in the API Token field, prefixed by “token“.

To make sure you’ve set everything up correctly, click Test API Credentials. You should see a green success message.

When finished, click Save. This part of the process is complete.

 

Add Tonkean Rules

Add Tonkean Roles to Users

We need to add the tonkeanRoles parameter to the users in our directory. Go to the Profile Editor tab, and under User (default) click Profile.

Click Add Attribute, and enter the following information:

The values in the enumerated list are:

  • Process Contributor - PROCESS_CONTRIBUTOR

  • System User - SYSTEM_USER

Click Save.

Now we can provide permissions for users in our directory (not in Tonkean yet). To do that, go to the People tab, and select a user.

In the user page, go to the Profile tab and click Edit.

Scroll to the bottom, and you’ll have checkboxes with the values we’ve previously entered. Choose which ones you’d like, and click Save. Follow the same process for the rest of the users.

Add Tonkean Roles to the Application

We now need to add the Tonkean Roles to our application. Go to your application under the Applications tab, and click the Provisioning tab.

Scroll down until you get to Attribute Mapping, and click Go to Profile Editor.

In the profile editor click Add Attribute, and fill the same information you’ve filled for the People attribute.

The values in the enumerated list are:

  • Process Contributor - PROCESS_CONTRIBUTOR

  • System User - SYSTEM_USER

The external namespace is urn:scim:tonkean.

Click Save, and then click Mappings. In the popup that displays, click Okta User to {Application Name}, and scroll to the bottom, and in the tonkeanRoles you should pick the tonkeanRoles we’ve added.

When finished, scroll to the bottom and click Save Mapping and Apply updates now.

The process is complete: you can now provision users and groups in your Okta instance.


0 replies

Be the first to reply!

Reply