Configure Okta connector
  • 20 Nov 2023
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Configure Okta connector

  • Dark
    Light
  • PDF

Article summary

Steps to configure the connector:

  1.  Login to Cross Identity and go to the admin console.

Download the CID Agent file

  1.  Click Advanced > Download.
  2. Click Download from CID Agent as highlighted in the image.
  3. After downloading the CID Agent, navigate to C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\CIDAgent\WEB-INF\classes and verify the parameters.properties file.
  4. Make changes for LIC_ENDPOINT, WEB_SOCKET_ENDPOINT, and REST_ENDPOINT as per the tenant URL received for CI.
  5. Make changes for CONNECTOR_URL, and CONNECTOR_SOT as per the Apache tomcat port number.
    To utilize the RabbitMQ feature, mention PROCESSING METHOD as RABBITMQ. If not, mention REST. 
  6. After making the necessary changes save the file.

Onboard ServiceNow application in CI

  1. To add a required application from the global app store, go to the Applications > click the ‘+’ symbol to add an application.
  2. In the AppStore pane, search the Okta application. 
  3. Once it is displayed, click on it and it will take you to the application configuration window. 
  4. Fill out the required details in the Application Configuration tab.
    • Application Name: Provide a name. Example: Okta.
    • Connector War name: This is an uneditable text field.
    • Application logo: Choose a logo for the application.
  5. Click Save.
  6. Check for ServiceNow war file in C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps.
    Note:
    The folder path may vary from client to client.
  7. If the Okta.war file doesn’t exist in the above location, download the war file from CI. (Go to Applications menu > Application Configuration tab > click Download WarFile)
  8. Once the war file is downloaded, place it in C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps and restart the agent.

Application Account Attributes

  1. Go to Application Account Attributes and click +Add.
  2. Select the necessary attributes by checking the appropriate boxes and then click ADD.
  3. On the next screen, you can see the added application account attributes and map the attributes as per requirement.
  4. Select the Mapping method from the drop-down.
    • User Profile Attribute: When you choose this option, you need to define a user attribute that matches with Active Directory.
    • Assigning Group to the user based on expression calculation from UI: 

      Groups can be assigned as per the business logic and the same is achieved by defining expressions in CI as shown below.

  5. Evaluation Operation: Select Create, Modify, and Both from the drop-down. It applies to a user account with the selected account attributes. 
  6.  Sync with User Profile Attribute: Check the box to sync account attributes from the target application to Cross Identity. 

Add Roles in Cross Identity

  1. Navigate to Roles from the menu.
  2. Click Add Role. The Add Role screen appears.
  3. Click ADD.

Application Authorization

  1. Navigate to Application Authorization. The application authorization screen is displayed.
  2. Click Add Role and search for the role added in CI.
  3. Select the appropriate role and click ADD.
  4. To assign groups as birth-right groups when a user is created, follow the below steps after completing the Reconciliation operation. Adding birth-right groups in All user's roles:
    • Click the Entitlements as shown below.
    • Click Add Entitlements.
    • Search for the Group (entitlement) name to which the new user should be assigned while creating the user as a birthright method.
    • Check the entitlement (Group) name and click the Add button. 

Accounts

  1. Navigate to Accounts.
  2. Select a unique attribute to link to identity and configure it as a display attribute.
  3. Click Save.

Entitlements

  1. Navigate to Entitlements.
  2. Click Entitlement Definition > Add Entitlement Definition.
  3.  Enter the following details in the dialog:

    Sr. No. 

    Entitlement Name 

    Entitlement Key 

    Entitlement Value 

    1.

    okta

    return 

    return

  4. Entitlement key and value are checked in the connector to fetch group details. As per the schema defined, the group names and its members are fetched and will be displayed in the entitlement tab.
  5. Set schema details: In Connector, Attribute Name fields are used to fetch group names and members of that group from respective API responses. Attribute Display name is a user-defined display name. The mapped Attribute is mapped to the Display Name (as we are considering the Display Name as a unique key attribute) which represents the Group name, and the chosen will be displayed in the CI UI entitlement section.

    Sr. No.

    Attribute name 

    Attribute Display Name

    Mapped Attribute 

    Marked Display?

    groupname 

    groupName

    Username

    Yes

    member 

    member 

    Username

    No

Reconciliation

The Recon rule is a must to link the CI identity and its respective account from the Target application using a unique link attribute (like email, employee ID, sAMAccount name, etc.). Multiple attributes can be considered by choosing the priority.

  1. Navigate to Reconciliation.
  2. Click Run to initiate the recon.





Was this article helpful?

What's Next