Skip to main content

Okta SAML integration

To enable Imply Hybrid (formerly Imply Cloud) Auth for your organization, contact your Imply account representative.

This topic describes how to configure Imply Hybrid to use Okta with Security Assertion Markup Language (SAML) as an external identity provider.

Before you begin, make sure you are logged in as an administrator to both the Imply Hybrid and Okta consoles. Setting up an identity provider in the Imply Hybrid Auth console requires User Manager role permissions.

Authentication

The following steps ensure that users can log in to Imply Hybrid with Okta:

  1. Set up an application in Okta for Imply Hybrid.
  2. Export the identity provider metadata document. This document includes the issuer's name, expiration, and keys to validate responses from the identity provider.
  3. Import the configuration into Imply Hybrid Auth.

Authorization

The following steps ensure that users can access certain assets in Imply Hybrid:

  1. Create groups in Okta, if not already present, to reflect usage in Imply Hybrid.
  2. Create composite roles in Imply Hybrid to map to the groups in Okta.
  3. Create mappers in Imply Hybrid to associate the groups to the composite roles.

Configure an Okta SAML identity provider

The general flow for configuring an Okta SAML identity provider is as follows:

  1. Add an identity provider
  2. Create an application in Okta
  3. Configure the SAML settings
  4. Add user role mappings

Add an identity provider

  1. Log in to the Imply Hybrid user management console.
  2. Click Identity Providers from the left menu.
  3. Expand the Add provider section and click SAML v2.0.
  4. For Alias, enter a unique alias for the identity provider. Notice that the alias appears in the Redirect URI path. Imply Hybrid uses the alias to build the redirect URI and label the identity provider button on the login screen. Save the redirect URI value, since you will need it to create an application for Imply Hybrid in Okta.
  5. Optionally, choose the first login and post login flows. By default, the first login flow uses first broker login. See Common settings for more information.

Create an application in Okta

As an Okta administrator, log in to the Okta administration console and follow these steps to create an application for Imply Hybrid:

  1. In the Okta administration console, go to Applications > Applications.
  2. Click Create App Integration.
  3. For Sign-in method, select SAML 2.0.
  4. Select Web for the type of application to integrate with Okta.
  5. Click Next.
  6. In General:
    • For Single sign on URL, enter the redirect URI from Add an identity provider.
    • For Audience URI (SP Entity ID), enter the same redirect URI as in Single sign on URL.
  7. Complete the steps in the Okta application integration wizard, including assigning the app to users.

The completed configuration should look similar to the following: Okta config

Imply Hybrid Auth only supports service provider-initiated SSO. Because of this, you cannot add Imply Hybrid as an app integration to your Okta Dashboard. Instead, create an Okta Bookmark App integration with the URL set to the login page https://ORGANIZATION_NAME.implycloud.com. Replace ORGANIZATION_NAME with the name of your organization. For instructions on how to create a Bookmark App integration, refer to the official Okta documentation.

Configure the SAML settings

From the Imply Hybrid user management console, navigate to the identity provider settings. In the SAML Config section, configure the following settings:

  1. For Single Sign-On Service URL, enter the single sign-on URL provided by Okta.
  2. Optionally, complete the remaining fields.
  3. Click Save.

You should now be able to access Imply Hybrid with an authenticated session. In most cases, you will want to map user attributes to roles in Imply Hybrid, as described in the next section.

Add user role mappings

Mappers associate user properties from the identity provider to roles in Imply Hybrid. Before configuring mappers, determine which Imply Hybrid roles should be mapped to the SAML attributes. You may need to create those properties for the purpose, if they don't already exist.

To add a mapper, follow these steps:

  1. In the Imply Hybrid user management console, navigate to Identity Providers > Mappers, then click Create.
  2. Configure the mapper as follows:
    • Name: Enter a name for the mapper.
    • For Sync Mode Override, choose from the following options:
      • Import: Import data only from when Imply Hybrid created the user at first login.
      • Force: Update user data at each login.
      • Inherit: Use the sync mode configured in the identity provider. All other options override this sync mode.
    • Attribute Name: Enter the name of the Okta user attribute.
    • Attribute Value: Enter the value of the attribute to map to the Imply Hybrid role.
    • Role: Enter the Imply Hybrid role you want to map this user attribute to.
  3. Click Save. Users can now log in to Imply Hybrid with authenticated Okta sessions.

Optionally, you can map attribute statements from Okta to user session attribute values in Imply Hybrid. This eliminates the need to provide usernames and email addresses or other attributes at first login. The following screenshot shows the attribute statement configuration for an Okta SAML application:

SAML config

To have the attribute value propagated to Imply Hybrid, configure the attribute mapping as you would a role mapping.