Learn how to set up Okta SCIM for Single Sign-On, create users and groups, import users and groups, update certain user attributes, and even deactivate users through the Okta application. This article also covers some troubleshooting tips in case users run into any issues.
Skip Ahead To...
Requirements
Available Actions
Configuration Instructions
FedRAMP Configuration Instructions
- Set up Okta App
- Okta SCIM Configuration For EgnyteGov Customers
Migration Steps For Users Of Egnyte SCIM 1.0 App In Okta
Troubleshooting
Requirements
- An Egnyte Admin account is needed to perform all of the provisioning actions from Okta.
Available Actions
With the new Okta SCIM provisioning, the user can complete the following actions:
-
Create Users: Users assigned to the Okta Egnyte application will be automatically created and registered in the associated Egnyte domain. Provisioned users will be able to log into their Egnyte account through the Okta SSO or by clicking their Egnyte application from their Okta home page.
Okta SCIM 2.0 does not support role modification for power users and always creates new Power Users with default role.
- Create Groups: Groups and their members can be assigned and pushed from Okta to Egnyte. Groups can also be linked to an existing Group in Egnyte. For the membership to be assigned, Users who are members of the respective Groups need to be first assigned to the Okta Egnyte app.
- Update User Attributes: Updates made to the user’s Okta profile will also update the associated attributes in the user’s Egnyte profile according to the attribute mapping set for the application. See the Configuration Instructions section of this article for more details.
- Deactivate Users: Deactivating the user or disabling the user’s access to the Egnyte application through Okta will result in deactivating the user’s account on the associated Egnyte domain. The user will not be deleted in Egnyte and can be reactivated manually if required.
- Import Users: Importing users through Okta will list all of the users from the associated Egnyte domain and allow them to be linked to existing Okta users or to create new Okta users. Users associated with the Egnyte application in Okta will be able to log in as previously described. User attributes will be assigned according to the attribute mapping set for the application. Refer to the Configuration Instructions section of this article for more information.
- Import Groups: Importing users through Okta will also import their associated Groups. Such groups can be assigned to the Egnyte application and will contain the same users (as long as they are assigned to Okta as well).
Configuration Instructions
Before continuing with the steps below, ensure that the requirements are complete and the user is logged in as an Admin in Okta.
-
Navigate to Applications -> Add Applications and search for Egnyte in the search field. Select Egnyte SCIM 2.0 from the search results.
-
Ensure that the Subdomain setting under General Settings is configured to the Egnyte domain name and click Next.
-
In Sign-On Methods, select SAML 2.0, click the copy option under the Metadata URL, and access it in a browser. It will display XML code which needs to be saved in an .xml file. This file can be used to import the configuration in Egnyte. Click on View SAML setup instructions to view the configuration details. These will be required in the step 8 below.
-
Under the Credentials Details section, set the Application username format to Email prefix. Click Save.
- To continue the setup in Egnyte, log into the Egnyte account as an Administrator.
- Navigate to the following location: Settings -> Configuration -> Security & Authentication.
-
Scroll down to the Single Sign-On Authentication section, select SAML 2.0 from the Single sign-on authentication drop-down, and choose Okta from the Identity provider drop-down.
-
Enter the information provided in the Setup Instructions from Okta in the following fields:
Identify provider login URL
Identify provider entity ID
Identify provider certificate
API key*: This will be needed if SSO users will access (S)FTP or WebDAV. See the steps below.
Default user mapping: Select the appropriate option from the drop-down.
Alternatively, the user can also import the metadata file using the .xml file saved in step 3 above. Click on the import metadata XML file link and upload the .xml file saved.
Users must manually refresh the page after configuring SSO details in Egnyte.
*To generate an Okta API key, navigate back to Okta, open the Security tab, and select API.
-
Open the Tokens tab, click Create Token.
-
Enter a name for the token and select the option from which the API calls made with this token must originate from. Click Create Token to generate the key. Copy this information and paste it into the API key field in Egnyte.
- Click Save once all of the information has been entered.
- Navigate back to the Provisioning tab of the Egnyte app in Okta and click Integration.
-
In another tab, go to https://eg-okta-scim.appspot.com/ to generate an API Key that will be used in the next step.
-
Enable and test API Integration.
- Check the box for Enable API Integration and paste the Egnyte API key (API token generated in the previous step) into the API Token field.
- Click the Test API Credentials button. The user should see a success message.
-
Click Save on receiving the message.
-
Navigate to the Settings menu, select To App from the left menu, and click Edit.
-
Check the box next to Create Users, Update User Attributes, and Deactivate Users. Click Save.
-
After SCIM Provisioning has been enabled, go to the Import tab of the Egnyte app instance. Click Import Now.
-
After the users and groups from Egnyte are downloaded, select the ones to be created or linked in Okta, and then click on Confirm Assignments.
-
A pop-up will appear asking if the user would like to proceed with the assignment confirmation. Click Confirm.
- Verify the assignments in the Assignments tab.
FedRAMP Configuration Instructions
Setup Okta App
-
Log in to Okta instance as an admin. Go to the Applications section. Click on Create App Integration.
-
In the modal select SAML 2.0 and click Next.
-
In the General settings, enter app name, app logo (optional), select app visibility options and click Next.
-
In Configuration SAML Settings fill the following fields (replace egnyte_domain with actual domain name):
- Single sign-on URL: https://egnyte_domain.egnytegov.com/samlconsumer
- Audience URI (SP Entity ID): https://egnyte_domain.egnytegov.com
-
For Application username choose either:
- Default value Okta username if Egnyte domain is following Default user mapping as Email address
- Change value to Okta username prefix if Egnyte domain is following Default user mapping as Egnyte username
-
Click Next on the bottom of the screen, then click Finish on the next page without changing any values.
-
Once redirected to the Sign on tab of the newly created application, scroll down and open View SAML setup instructions in a separate tab. These will be needed for Egnyte domain setup.
-
Go to the Assignments tab. Assign users and groups as required. Make sure that assigned Username is reflected later in Egnyte users as IdP username.
Okta SCIM Configurations For EgnyteGov Customers
-
Click on the General Tab of the newly created Okta app, and click on Edit in App Settings.
-
Select the SCIM option in Provisioning and click Save.
-
A Provisioning tab will now appear. Click on the Provisioning tab. Click on Edit to edit the SCIM connection.
-
Enter the values for the following fields as follows -
-
SCIM connector base URL: https://<domain_name>.egnytegov.com/pubapi/scim/v2
E.g. If the domain name is virtucon then the link will be https://virtucon.egnytegov.com/pubapi/scim/v2 - Unique identifier field for users: userName
-
Supported provisioning actions
-
Select all the options
- Import New Users and Profile Updates
- Push New Users
- Push Profile Updates
- Push Groups
- Import Groups
-
Select all the options
- Authentication Mode: HTTP Header
-
SCIM connector base URL: https://<domain_name>.egnytegov.com/pubapi/scim/v2
-
Now navigate to https://scim-20.egnytegov.com/, enter the Egnyte domain name and click on Generate token.
- Copy the token and paste it in the Token textbox in the HTTP Header section.
-
Then click Test Connector Configuration.
- Click Save.
- The page will be refreshed and the user should still be on the Provisioning tab. Click Edit and go to To App section.
-
Enable the following
- Create Users
- Update User Attributes
- Deactivate Users
- Click Save.
- Scroll down to Attribute Mappings and delete all the attributes listed except for userName, givenName, familyName, email, and userType.
-
Navigate to the Sign-on tab and click Edit in Settings.
-
Scroll down to Credentials Details and change the Application username format to Email prefix. Click Save.
Migration Steps For Users Of Egnyte SCIM 1.0 App In Okta
The Egnyte integration has been updated to provide a better overall experience to Okta customers and provide the ability to provision both Users and Groups to Egnyte while using SCIM 2.0 protocol. To take advantage of these updates, the user needs to add a new instance of Egnyte (Egnyte SCIM 2.0) in their Okta organization. If they already have an existing instance of Egnyte SCIM 1.0, follow the steps below to migrate from that old instance to a newly updated instance of Egnyte. Note that keeping both instances active at the same time will lead to errors and mismatches as they will both try to manage Egnyte resources simultaneously.
-
Navigate to Applications -> Applications and search for Egnyte in the search field. Select Egnyte SCIM 2.0 from the search results.
-
Configure the application including all provisioning requirements. See the Configuration Instructions section of this guide for more information.
Performing steps 3-5 will import all Users and Groups from Egnyte to Okta. Since Okta implementation does not support Groups fully, it may lead to the creation of duplicate or empty Group objects. Contact Okta support before initiating the Import to have them guide through the process. If the user does not wish to import data from Egnyte and instead chooses to add Users and Groups manually, they can skip to step 6.
-
After SCIM Provisioning has been enabled, go to the Import tab of the new Egnyte app instance. Click Import Now.
-
After the users from Egnyte are downloaded, select the users to be created or linked in Okta, and then click on Confirm Assignments.
-
A pop-up will appear asking for confirmation. Click Confirm.
- Go back to the Admin Dashboard.
-
Open the old Egnyte app instance.
This is the previous Egnyte app that was added before adding a new one in step 4.
- Go to the Provisioning tab.
- In the Settings section, click Integration.
-
Click on Edit and uncheck Enable API Integration. Click Save.
-
The old Egnyte app instance can now be deactivated or deleted.
If the user was using SAML 2.0 as the sign-on mode for their old Egnyte app instance, they will need to set up SAML 2.0 on their new Egnyte app instance in Okta. To do so, refer to step 3 in the Configuration instructions section. Remember that Security & Authentication settings in Egnyte will also have to be updated with new Identity Provider metadata.
Troubleshooting
Egnyte Username
Egnyte doesn't support email-based usernames. To avoid provisioning issues, go to Sign On, open Settings, click Credential Details, and update Application Username Format to either Okta username prefix or Email prefix.
In rare cases, the email or username may contain signs that are not supported by the Egnyte username pattern and need to be changed manually during user assignment in Okta.
Update User Email In Okta
If an email is changed, it may result in the username provisioned in Egnyte to be changed as well. It will result in an error as Egnyte does not currently support username changes with SAML/SSO. The current workaround is to change the username back in Okta Assignments manually.
Create A User - User Type Issues
The user type in Okta is case-sensitive and accepts only the following values.
- admin
- power
- standard
If a user is not defined in Okta, they will be created in Egnyte as a Power User. This will affect users with Individual and Group Assignment types.
Create User - Default Values
If an Okta user profile does not have the following values specified (or has them set to "Undefined"), the following values will automatically be assigned:
User Type: Users created by Okta in Egnyte will, by default, have their User Type set to power if not specified. Other options available in Egnyte are admin and standard.
Authentication Type: Users created by Okta in Egnyte will, by default, have their Authentication set to SSO. They will also have their IdP Username set to email or Egnyte username, depending on the Default user mapping option selected in Egnyte. This can be found in the Security & Authentication section under Configuration Settings.
If a user is created with Egnyte Authentication and then changed to SSO Authentication, IdP Username will not be set by default and needs to be updated manually in Egnyte.
Sending Invite Email: The default value is True, meaning that each newly created user will receive an invitation email.
Is user a Service Account: The default value is False. When a Service Account is set to True, the parameter Sending Invite Email must be set to False.
When creating a Service Account user, Okta will automatically generate a randomized password. To avoid provisioning issues, it's necessary to set the default password length in Okta to 12 characters, by going to Security > Authentication > Password > Password Settings and updating the Minimum length value. Since the Okta-generated password cannot be seen, the admin will need to manually reset the password on the Egnyte side for each Service Account created by SCIM 2.0 Okta integration.
Two-Factor Authentication: Access to this feature on the Egnyte side depends on the selected Billing Plan. It will default to the value specified in the Egnyte domain settings.
Import Groups
Currently, Egnyte groups are being imported as objects that are different from the Okta-based Groups and cannot be edited in Okta.
Invalid Oauth Bearer Token
When an invalid Oauth Bearer Token is submitted in Provisioning - Integration, the following error will be displayed: "Error authenticating: Unauthorized. Errors reported by remote server(...)."
Contact Egnyte Support if this error occurs.