Skip to main content

OKTA-CBAAP

DISCLAIMER: To effectively configure CBAAP with OKTA, it is highly advisable to adhere to the comprehensive steps outlined in the documentation. While initially crafted for OneLogin integration, these steps provide thorough explanations and proven functionality. Complementing this documentation, below are the essential steps for setting up CBAAP with OKTA:

Prerequisites: SSO integration setup. An Exivity instance with dummy data (i.e. Extractors, Reports, Accounts, etc.)

Steps:

  1. Create a metadata definition. For example a metadata with the Field called "AWS Group"

  2. Go to Data pipelines > Reports > Configuration and add your created Metadata.

  3. Go to Accounts > Overview and select the Account(s) you want, then populate the Metadata with values. For Example AWS Group = sales.

  4. Go to OKTA > Directory > People > username > Profile tab > Attributes (click edit): Edit the Attributes you want to be mapped to the corresponding Metadata definition. For example: Department = sales.

  5. Go to Exivity > Settings > Administration > Single sign-on > Account Provisioning and map: Saml attribute = department (example) / or whatever field you want to map. Value source -> Metadata Metadata definition -> Choose the Metadata you created Metadata field -> Choose the field you created (In our example AWS Group)

  6. Go to OKTA > Directory > Profile Editor > select the User connected to your app > +Add attribute: Add the Attribute you want to be mapped to your previously defined Metadata definition. For example you can add an attribute called Department.

  7. Go to Okta > Apps > your app > General > SAML Setting (click edit) > Configure SAML (tab) > Advanced > Attribute statements: Add the attribute to be mapped with the Metadata, for example, department

  8. If everything was configured correctly, you should be able log in and get access to only those Accounts that match the mapping between the Metadata and the SAML attribute configured in OKTA.