# Okta

{% hint style="info" %}
This feature is available in the **Premium plan and higher**.
{% endhint %}

{% hint style="danger" %}
**Remember to** [**grant your Okta users access permissions**](#step-4-managing-user-access) **to GoodAccess. Users without them won't be able to log in.**
{% endhint %}

## Step 1 - Adding a new identity provider

[Log in to the GoodAccess **Control Panel**, and go to **Settings** > **SSO & Identity**.](https://app.goodaccess.com/sso-and-identity/)

Click **+ Add provider**, enter the **Provider name**, choose your **Identity Provider**, and click **Continue**.

## Step 2 - Setting up Single Sign-On with SAML

Log in to the Okta Admin console, and go to **Applications** > **Applications**.

Click **Create App Integration**, select **SAML 2.0**, and click **Next**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FlzyeUnGDYlUia3OyaNYz%2FFeatures_SSO_Okta_01.png?alt=media&#x26;token=97fc0eb9-7473-47ca-93e1-9ab44fc6e9ff" alt="Okta Admin console with key steps to creating a new application integration."><figcaption><p>Creating a new application integration</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F4k9L64TbZsxrXKp5AelQ%2FFeatures_SSO_Okta_02.png?alt=media&#x26;token=ec274426-2b57-4e86-8559-91fae98efbe5" alt="Okta Admin console with key steps to selecting SAML 2.0 as a sign-in method for the application integration."><figcaption><p>Selecting SAML 2.0 as a sign-in method</p></figcaption></figure></div>

### 1. General Settings

Give the application a name, and click **Next**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FGKUFN0vaGxFo1N3Ubj3W%2FFeatures_SSO_Okta_03.png?alt=media&#x26;token=5addfac0-13ef-4519-9242-2b37fade7511" alt="Okta Admin console with key steps to setting up the &#x22;General Settings&#x22;."><figcaption><p>Setting up the General Settings</p></figcaption></figure>

### 2. Configure SAML

Copy the details from GoodAccess - **(2) GoodAccess links**.

#### General

* **Single Sign-On URL** - Assertion Consumer Service URL
* **Audience URI (SP Entity ID)** -  Entity ID
* **Default RelayState** - Relay State
* **Name ID format** - Unspecified
* **Application username** - Email

#### **Attribute Statements**

| Name                     | Name format | Value      |
| ------------------------ | ----------- | ---------- |
| "email" (without quotes) | Unspecified | user.email |

Return to GoodAccess, and click **Continue**.

Return to Okta, and click **Next**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F24UUM18KdANzMzEe6ufo%2FFeatures_SSO_Okta_04.png?alt=media&#x26;token=08591f21-e9de-48c2-be80-914804d541a2" alt="Okta Admin console with key steps to configuring SAML."><figcaption><p>Configuring SAML</p></figcaption></figure>

### 3. Feedback

Choose one of the **Feedback** options, and click **Finish**.

### 4. Setting up GoodAccess

In the application go to **Sign** **On** > **SAML 2.0**, and click **More details**.

Copy the details to GoodAccess - **(3) Identity Provider links**, and click **Continue**.

* **Sign in URL** - Sign on URL
* **Entity ID** - Issuer
* **X509** **signing certificate** - Signing Certificate

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FM6sesTO3YePy9cLVAhOm%2FFeatures_SSO_Okta_05.png?alt=media&#x26;token=f5aa0293-0566-4cf0-8347-174edd57e80d" alt="Okta Admin console with key steps to setting up GoodAccess."><figcaption><p>Setting up GoodAccess</p></figcaption></figure>

{% hint style="info" %}
If you don't want to setup SCIM, skip the next step in GoodAccess, and click **Submit** to finish the configuration.
{% endhint %}

You have now successfully set up your Okta SSO with GoodAccess.

## Step 3 (optional) - Setting up SCIM

In the application, go to **General** > **App Settings**, and click **Edit**.

Select **SCIM**, and click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F6vpfUovTeq2T2FAaNY7s%2FFeatures_SSO_Okta_06.png?alt=media&#x26;token=81a7a96c-ad5d-433c-8621-34c72522490b" alt="Okta Admin console with key steps to enabling SCIM."><figcaption><p>Enabling SCIM</p></figcaption></figure>

### 1. SCIM Connection

Go to **Provisioning** > **Integration**, and click **Edit**.

Copy the **URL** and **Token** from GoodAccess - **(4) User provisioning (SCIM)**.

* **SCIM connector base URL** - URL
* **Unique identifier field for users** - "email" (without quotes)
* **Supported provisioning actions**
  * Push New Users
  * Push Profile Updates
  * Push Groups
* **Authentication Mode** - HTTP Header
* **Authorization** - Token

Return to GoodAccess, and click **Submit**.

Return to Okta, and click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FtcyUHX7FL06uJoMQZ6NI%2FFeatures_SSO_Okta_07.png?alt=media&#x26;token=3a0f3c41-0ace-43f2-9102-ec0282c7528e" alt="Okta Admin console with key steps to setting up SCIM connection."><figcaption><p>Setting up SCIM connection</p></figcaption></figure>

### 2. Provisioning to App

Go to **Provisioning** > **To App**, and click **Edit**.

**Enable**:

* Create Users
* Update User Attributes
* Deactivate Users

Click **Save** to finish the configuration.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FPYhxbk9HejIQV5QsnxdI%2FFeatures_SSO_Okta_08.png?alt=media&#x26;token=e2e9ab92-b2e7-42be-bea7-e0819f75365d" alt="Okta Admin console with key steps to setting up provisioning to app."><figcaption><p>Setting up provisioning to app</p></figcaption></figure>

### 3. (optional) Adding groups to provisioning

Go to **Push Groups**, and click **+ Push Groups** > **Find groups by name/rule**.&#x20;

Find the desired group, and click **Save**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FRfVtGSHQZhuaallXSHPC%2FFeatures_SSO_Okta_09.png?alt=media&#x26;token=7cfc8262-4675-441f-9baf-7b07e4c09663" alt="Okta Admin console with key steps to adding groups to provisioning."><figcaption><p>Adding groups to provisioning</p></figcaption></figure>

{% hint style="info" %}
The whole provisioning process will take around **20 minutes** to complete depending on the number of members and groups being added.
{% endhint %}

You have now successfully set up your Okta SCIM with GoodAccess.

## Step 4 - Managing user access

In the application, go to **Assigments**, and click **Assign** > **Assign to People/Groups**.

Choose who should have access, and click **Done**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FN9eLs42MQSbYGL8C4Jpw%2FFeatures_SSO_Okta_09.png?alt=media&#x26;token=fc46c180-1992-45b2-8d4b-0763d271384e" alt="Okta Admin console with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FO9tRn0bT8WgeCG1yxJ5W%2FFeatures_SSO_Okta_10.png?alt=media&#x26;token=caed7f01-6419-41d6-bcf0-684e008740b4" alt="Okta Admin console with key steps to managing user access."><figcaption><p>Managing user access</p></figcaption></figure></div>