Configure SSO JIT Provisioning on Okta

Okta Configuration

1. In Okta, go to the Admin panel.

   

2. In the Directory menu, select Groups.

   

3. Click Add Group.

4. Enter a name and description for the group (remember the name as you will need it later), and the click Add Group.

   

5. In the Application menu, select Application.

   

6. Click Create New App.

   

7. Select the following, and then click Create:

   Platform: Web
   

   Sign on method: SAML 2.0

8. Set the App name, then click Next.

9. Set the following parameters:

   • The "Name-up-select" can be changed to any name.

   • The Name in the "GROUP ATTRIBUTE STATEMENTS" (memberOf) can be set to any name you choose.

     

10. Click Next and then Finish.

11. Click View Setup Instructions.

    

CloudGuard Configuration

1. In CloudGuard, navigate to the Authentication page in the Settings.

2. In the SSO section, click Enabled.

3. Click Edit, to open the SSO Configuration box.

4. Enter the following details:

   • Account ID - the value that you entered instead of "Name-up-select".

   • Issuer - the Identity Provider Issuer from Okta.

   • Idp endpoint url - the Identity Provider Single Sign-On URL from Okta.

   • X.509 Certificate - the X.509 Certificate from Okta.

   • Check Just-in-time provisioning for the account checkbox.

   • Attribute name in SAML for just-in-time role - add the name that you entered instead of the "member Of"

     

5. Click Save.

6. Assign the group that you created in step 4 to the application.

7. Navigate to the Roles page in the Settings menu.

8. Create a role with the same name as the name of the group that you created in Okta.