Welcome to
Help Desk

Product Updates
Training
Support
Ideas Contact Support

Okta SSO Configuration Guide (SCIM 2.0)

Learn how to set up Okta SCIM for Single Sign-On, create users and groups, import users and groups, update certain user attributes, and even deactivate users through the Okta application. This article also covers some troubleshooting tips in case users run into any issues. 

Skip Ahead To...

Requirements

Available Actions

Configuration Instructions

FedRAMP Configuration Instructions

- Set up Okta App

- Okta SCIM Configuration For EgnyteGov Customers

Migration Steps For Users Of Egnyte SCIM 1.0 App In Okta

Troubleshooting

Requirements

  • An Egnyte Admin account is needed to perform all of the provisioning actions from Okta.

 

Available Actions

With the new Okta SCIM provisioning, the user can complete the following actions: 

  • Create Users: Users assigned to the Okta Egnyte application will be automatically created and registered in the associated Egnyte domain. Provisioned users will be able to log into their Egnyte account through the Okta SSO or by clicking their Egnyte application from their Okta home page.

    Okta SCIM 2.0 does not support role modification for power users and always creates new Power Users with default role.

  • Create Groups: Groups and their members can be assigned and pushed from Okta to Egnyte. Groups can also be linked to an existing Group in Egnyte. For the membership to be assigned, Users who are members of the respective Groups need to be first assigned to the Okta Egnyte app.
  • Update User Attributes: Updates made to the user’s Okta profile will also update the associated attributes in the user’s Egnyte profile according to the attribute mapping set for the application. See the Configuration Instructions section of this article for more details.
  • Deactivate Users: Deactivating the user or disabling the user’s access to the Egnyte application through Okta will result in deactivating the user’s account on the associated Egnyte domain. The user will not be deleted in Egnyte and can be reactivated manually if required.
  • Import Users: Importing users through Okta will list all of the users from the associated Egnyte domain and allow them to be linked to existing Okta users or to create new Okta users. Users associated with the Egnyte application in Okta will be able to log in as previously described. User attributes will be assigned according to the attribute mapping set for the application. Refer to the Configuration Instructions section of this article for more information.
  • Import Groups: Importing users through Okta will also import their associated Groups. Such groups can be assigned to the Egnyte application and will contain the same users (as long as they are assigned to Okta as well).

 

Configuration Instructions

Before continuing with the steps below, ensure that the requirements are complete  and the user is  logged in as an Admin in Okta.

  1. Navigate to Applications -> Add Applications and search for Egnyte in the search field. Select Egnyte SCIM 2.0 from the search results. 
    Okta SCIM - go to applications.png   Okta SCIM - select SCIM 2.0 app.png
  2. Ensure that the Subdomain setting under General Settings is configured to the Egnyte domain name and click Next.
    Okta SCIM - config -general tab.png
  3. In Sign-On Methods, select SAML 2.0, click the copy option under the Metadata URL, and access it in a browser. It will display XML code which needs to be saved in an .xml file. This file can be used to import the configuration in Egnyte. Click on View SAML setup instructions to view the configuration details. These will be required in the step 8 below. 
    Okta SCIM - copy metadata xml.png
  4. Under the Credentials Details section, set the Application username format to Email prefix. Click Save.
    Okta SCIM - e-mail prefix.png
  5. To continue the setup in Egnyte, log into the Egnyte account as an Administrator.
  6. Navigate to the following location: Settings -> Configuration -> Security & Authentication.
  7. Scroll down to the Single Sign-On Authentication section, select SAML 2.0 from the Single sign-on authentication drop-down, and choose Okta from the Identity provider drop-down.
    Okta SCIM - enable SAML 2.0 in Egnyte.gif

  8. Enter the information provided in the Setup Instructions from Okta in the following fields:
    Identify provider login URL
    Identify provider entity ID
    Identify provider certificate
    API key*: This will be needed if SSO users will access (S)FTP or WebDAV. See the steps below.
    Default user mapping: Select the appropriate option from the drop-down.

    Okta SCIM - populate information in security authentication.png
    Alternatively, the user can also import the metadata file using the .xml file saved in step 3 above. Click on the import  metadata XML file link and upload the .xml file saved. Okta SCIM - import xml file.png

    Users must manually refresh the page after configuring SSO details in Egnyte.


    *To generate an Okta API key, navigate back to Okta, open the Security tab, and select API
    Okta SCIM -  select API under security.png
  9. Open the Tokens tab, click Create Token.
    Okta SCIM - tokens tab.png
  10. Enter a name for the token and select the option from which the API calls made with this token must originate from. Click Create Token to generate the key. Copy this information and paste it into the API key field in Egnyte.
    Okta SCIM - create token.png
    Okta SCIM - copy okta token.png
  11. Click Save once all of the information has been entered. 
  12. Navigate back to the Provisioning tab of the Egnyte app in Okta and click Integration.
  13. In another tab, go to https://eg-okta-scim.appspot.com/ to generate an API Key that will be used in the next step. 
    Okta SCIM - get token for regular domain.png
  14. Enable and test API Integration. 
    • Check the box for Enable API Integration and paste the Egnyte API key (API token generated in the previous step) into the API Token field. 
    • Click the Test API Credentials button. The user should see a success message. 
    • Click Save on receiving the message.Okta SCIM - provisioning - enable integration.png


  15. Navigate to the Settings menu, select To App from the left menu, and click Edit.
    Okta SCIM - click edit  in provisioning tab.png
  16. Check the box next to Create Users, Update User Attributes, and Deactivate Users. Click Save.
    Okta SCIM - enable and save provisioning tab.png
  17. After SCIM Provisioning has been enabled, go to the Import tab of the Egnyte app instance. Click Import Now.
    Okta SCIM - import now button.png
  18. After the users and groups from Egnyte are downloaded, select the ones to be created or linked in Okta, and then click on Confirm Assignments.
    Okta SCIM - select user for assignments.png
  19. A pop-up will appear asking if the user would like to proceed with the assignment confirmation. Click Confirm.
    Okta SCIM - confirm imported user assignments.png
  20. Verify the assignments in the Assignments tab.

 

FedRAMP Configuration Instructions

Setup Okta App 

  1. Log in to Okta instance as an admin. Go to the Applications section. Click on Create App Integration
    Okta SCIM - applications - create integration button.png
  2. In the modal select SAML 2.0 and click Next.
    Okta SCIM - select 2.0 for custom application.png
  3. In the General settings, enter app name, app logo (optional), select app visibility options and click Next.
    Okta SCIM - create SAML integration - general settings.png
  4. In Configuration SAML Settings fill the following fields (replace egnyte_domain with actual domain name):
    • Single sign-on URL: https://egnyte_domain.egnytegov.com/samlconsumer
    • Audience URI (SP Entity ID): https://egnyte_domain.egnytegov.com
    • For Application username choose either:
      • Default value Okta username if Egnyte domain is following Default user mapping as Email address
      • Change value to Okta username prefix if Egnyte domain is following Default user mapping as Egnyte username

    Okta SCIM - configuration SAML integration.png
  5. Click Next on the bottom of the screen, then click Finish on the next page without changing any values.
    Okta SCIM - create SAML integration final step.png
  6. Once redirected to the Sign on tab of the newly created application, scroll down and open View SAML setup instructions in a separate tab. These will be needed for Egnyte domain setup.
    Okta SCIM - view SAML instructions.png
  7. Go to the Assignments tab. Assign users and groups as required. Make sure that assigned Username is reflected later in Egnyte users as IdP username.
    Okta SCIM - Assignments tab.png

Okta SCIM Configurations For EgnyteGov Customers

  1. Click on the General Tab of the newly created Okta app, and click on Edit in App Settings.
    Okta SCIM - click edit on general tab.png  
  2. Select the SCIM option in Provisioning and click Save.
    Okta SCIM - select SCIM in provisioning field under general tab.png
  3. A Provisioning tab will now appear. Click on the Provisioning tab. Click on Edit to edit the SCIM connection.
    Okta SCIM - click edit on provisioning tab in custom app.png
  4. Enter the values for the following fields as follows -
    • SCIM connector base URL: https://<domain_name>.egnytegov.com/pubapi/scim/v2 
      E.g. If the domain name is virtucon then the link will be https://virtucon.egnytegov.com/pubapi/scim/v2
    • Unique identifier field for users: userName
    • Supported provisioning actions
      • Select all the options
        • Import New Users and Profile Updates
        • Push New Users
        • Push Profile Updates
        • Push Groups
        • Import Groups
    • Authentication Mode: HTTP Header

    Okta SCIM - provisioning tab - save.png
  5. Now navigate to https://scim-20.egnytegov.com/, enter the Egnyte domain name and click on Generate token
    Okta SCIM - get token for fedramp domain.png
  6. Copy the token and paste it in the Token textbox in the HTTP Header section.
  7. Then click Test Connector Configuration.
    Okta SCIM - test connector configuration.png
  8. Click Save.
  9. The page will be refreshed and the user should still be on the Provisioning tab. Click Edit and go to To App section.
  10. Enable the following
    • Create Users
    • Update User Attributes
    • Deactivate Users

    Okta SCIM - enable and save provisioning tab.png
  11. Click Save.
  12. Scroll down to Attribute Mappings and delete all the attributes listed except for userName, givenName, familyName, email, and userType.
  13. Navigate to the Sign-on tab and click Edit in Settings.
    Okta SCIM - click on edit in sign on tab.png
  14. Scroll down to Credentials Details and change the Application username format to Email prefix.  Click Save.
    Okta SCIM - e-mail prefix.png

Migration Steps For Users Of Egnyte SCIM 1.0 App In Okta

The Egnyte integration has been updated to provide a better overall experience to Okta customers and provide the ability to provision both Users and Groups to Egnyte while using SCIM 2.0 protocol. To take advantage of these updates, the user needs to add a new instance of Egnyte (Egnyte SCIM 2.0) in their Okta organization. If they already have an existing instance of Egnyte SCIM 1.0, follow the steps below to migrate from that old instance to a newly updated instance of Egnyte.  Note that keeping both instances active at the same time will lead to errors and mismatches as they will both try to manage Egnyte resources simultaneously.

  1. Navigate to Applications -> Applications and search for Egnyte in the search field. Select Egnyte SCIM 2.0 from the search results. 
    Okta SCIM - go to applications.pngOkta SCIM - select SCIM 2.0 app.png
  2. Configure the application including all provisioning requirements. See the Configuration Instructions section of this guide for more information.

    Performing steps 3-5 will import all Users and Groups from Egnyte to Okta. Since Okta implementation does not support Groups fully, it may lead to the creation of duplicate or empty Group objects. Contact Okta support before initiating the Import to have them guide through the process. If the user does not wish to import data from Egnyte and instead chooses to add Users and Groups manually, they can skip to step 6.

  3. After SCIM Provisioning has been enabled, go to the Import tab of the new Egnyte app instance. Click Import Now.
    Okta SCIM - import now button.png
  4. After the users from Egnyte are downloaded, select the users to be created or linked in Okta, and then click on Confirm Assignments.
    Okta SCIM - select user for assignments.png
  5. A pop-up will appear asking for confirmation. Click Confirm.
    Okta SCIM - confirm imported user assignments.png
  6. Go back to the Admin Dashboard.
  7. Open the old Egnyte app instance.

    This is the previous Egnyte app that was added before adding a new one in step 4.

  8. Go to the Provisioning tab.
  9. In the Settings section, click Integration.
  10. Click on Edit and uncheck Enable API Integration. Click Save.
    Okta SCIM - unselect enable integration SCIM 1.0.png
  11. The old Egnyte app instance can now be deactivated or deleted.
    Okta SCIM - deactivate SCIM 1.0.png

If the user was using SAML 2.0 as the sign-on mode for their old Egnyte app instance, they will need to set up SAML 2.0 on their new Egnyte app instance in Okta. To do so, refer to step 3 in the Configuration instructions section. Remember that Security & Authentication settings in Egnyte will also have to be updated with new Identity Provider metadata.

 

Troubleshooting

Egnyte Username

Egnyte doesn't support email-based usernames. To avoid provisioning issues, go to Sign On, open Settings, click Credential Details, and update Application Username Format to either Okta username prefix or Email prefix.

In rare cases, the email or username may contain signs that are not supported by the Egnyte username pattern and need to be changed manually during user assignment in Okta.

Update User Email In Okta

If an email is changed, it may result in the username provisioned in Egnyte to be changed as well. It will result in an error as Egnyte does not currently support username changes with SAML/SSO. The current workaround is to change the username back in Okta Assignments manually.

Create A User - User Type Issues

The user type in Okta is case-sensitive and accepts only the following values.

  • admin
  • power
  • standard

If a user is not defined in Okta, they will be created in Egnyte as a Power User. This will affect users with Individual and Group Assignment types.

Create User - Default Values

If an Okta user profile does not have the following values specified (or has them set to "Undefined"), the following values will automatically be assigned:

User Type: Users created by Okta in Egnyte will, by default, have their User Type set to power if not specified. Other options available in Egnyte are admin and standard.

Authentication Type: Users created by Okta in Egnyte will, by default, have their Authentication set to SSO. They will also have their IdP Username set to email or Egnyte username, depending on the Default user mapping option selected in Egnyte. This can be found in the Security & Authentication section under Configuration Settings.
If a user is created with Egnyte Authentication and then changed to SSO Authentication, IdP Username will not be set by default and needs to be updated manually in Egnyte.

Sending Invite Email: The default value is True, meaning that each newly created user will receive an invitation email.

Is user a Service Account: The default value is False. When a Service Account is set to True, the parameter Sending Invite Email must be set to False.
When creating a Service Account user, Okta will automatically generate a randomized password. To avoid provisioning issues, it's necessary to set the default password length in Okta to 12 characters, by going to Security > Authentication > Password > Password Settings and updating the Minimum length value. Since the Okta-generated password cannot be seen, the admin will need to manually reset the password on the Egnyte side for each Service Account created by SCIM 2.0 Okta integration.

Two-Factor Authentication: Access to this feature on the Egnyte side depends on the selected Billing Plan. It will default to the value specified in the Egnyte domain settings.

Import Groups

Currently, Egnyte groups are being imported as objects that are different from the Okta-based Groups and cannot be edited in Okta.

Invalid Oauth Bearer Token

When an invalid Oauth Bearer Token is submitted in Provisioning - Integration, the following error will be displayed: "Error authenticating: Unauthorized. Errors reported by remote server(...)."

Contact Egnyte Support if this error occurs.

 

Was this article helpful?
0 out of 0 found this helpful

For technical assistance, please contact us.