search
About CoherentAPI referenceSupportYouTube

Okta (SAML v2.0)

hashtag
Prerequisites

chevron-rightPermissions required for registering and configuring an app in Oktahashtag

The Okta account must have permission to manage applications in Okta. Ideally the Okta account should be in the Super administrator role.

hashtag
Implement Single Sign-On (SSO)

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings.

  1. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. (K) Login to the Keycloak Admin Console using your admin credentials.

  3. (K) Click Identity Providers from the left pane.

  4. (K) Expand the Add provider dropdown and choose SAML v2.0.

  5. (K) Fill in values for the Alias and Display Name fields. The Alias should be a lowercase name without special symbols. Please note this Display Name will appear in the button on the Spark login page.

  6. (K) Copy the Redirect URI value.

  7. (K) Copy the Service provider entity ID value.

  8. (O) In a second browser tab, sign in to Okta.

  9. (O) In the left tab, expand Applications and click on Applications.

  10. (O) Click Create App Integration.

  11. (O) Select SAML 2.0 and then click Next.

  12. (O) Enter a name in the App name field and click Next.

  13. (O) In the SAML Settings section, for Single sign-on URL paste the modified Redirect URI and for Audience URI (SP Entity ID) field paste the Service provider entity ID value.

  14. (O) Select the following values in the dropdowns:

    Name
    Value

    Name ID format

    EmailAddress

    Application username

    Email

    Update application username on

    Create and update

  15. (O) Under Attributes Statements section add the following values:

    Name
    Value

    firstName

    user.firstName

    lastName

    user.lastName

  16. (O) For Group Attribute Statements (optional) section add the following values:

    Name
    Value

    Name

    groups

    Filter

    Matches regex

    Value

    .*

  17. (O) Click Next. and then click Finish.

  18. (O) Copy the Metadata URL.

  19. (O) Click on the Assignments tab.

  20. (O) Assign your test account.

  21. (K) Return to Keycloak. In SAML entity descriptor paste the Metadata URL and click Add.

  22. (K) Click on the newly created identity provider.

  23. (K) Click on the Mappers tab and then click on Add mapper.

  24. (K) Create 3 mappers with the following properties:

    1. Key
      Value

      Name

      firstName

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Attribute Name

      firstName

      Name Format

      ATTRIBUTE_FORMAT_BASIC

      User Attribute Name

      firstName

    2. Key
      Value

      Name

      lastName

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Attribute Name

      lastName

      Name Format

      ATTRIBUTE_FORMAT_BASIC

      User Attribute Name

      lastName

    3. Key
      Value

      Name

      email

      Sync mode override

      Force

      Mapper type

      Attribute Importer

      Attribute Name

      emailAddress

      Name Format

      ATTRIBUTE_FORMAT_BASIC

      User Attribute Name

      email

  25. For SAML SSO, it is important to validate signatures to prevent unauthorized access. For more information see Importance of validating signatures in SAML.

    1. (K) For the identity provider you have setup, scroll down to Signature and Encryption settings.

    2. (K) Enable the option Validate Signature.

  26. Navigate to your Spark tenant and sign in using the newly created provider. There will be a button on the Keycloak login page with the display name defined earlier.

hashtag
Map Okta groups to Spark user groups

It is recommended to use two separate browser tabs for the Keycloak (K) and Okta (O) portals to make it easier to apply the settings. In this guide, we will setup the automatic roles for the tenant-admin role.

  1. (O) In the first tab sign in to Okta.

  2. (O) Expand Directory and click on Groups.

  3. (O) Create a group and prefix it with spark (or any preferred prefix), for example spark-tenant-admin.

  4. (O) Add the test user to the group.

  5. (K) Open a new tab in your browser and login to the target Spark tenant. Access the Keycloak console from the User menu.

  6. (K) Login to the Keycloak Admin Console using your admin credentials.

  7. (K) Select Identity Providers from the left pane and then the identity provider you configured in the previous section.

  8. (K) Select the Mappers tab and then Add mapper.

  9. (K) Provide the following values.

    Name
    Value

    Name

    tenant-admin

    Sync mode override

    force

    Mapper type

    Advanced Claim to Group

  10. (K) Click Add Claims.

  11. (K) Provide the following values:

    Key
    Value

    groups

    tenant-admin

  12. (K) Leave Regex Claim Values as Off (which is the default).

  13. (K) Click Select Group, choose tenant-admin , then click Select.

  14. (K) Click Save.

  15. Sign in into Coherent Spark with your test account. Click on your initials and hover over the groups icon to confirm your membership in tenant-admin.

  16. We highly recommend creating at least a few additional app groups relevant for Private tenantarrow-up-rights:

    • Group for supervisor:pf user accounts. In Spark, supervisor:pf members can manage permissions across all folders.

    • Groups for "standard" user accounts, e.g. user:teamA, user:teamB. These groups can be assigned to the users in your organization not responsible for tenant administration. Creating multiple groups for "standard" user accounts can be useful to separate access between teams.

hashtag
Create a bookmark application for Coherent Spark

See Okta My Apps Dashboard.

Last updated