SSO with Okta

📘

Information

Instruction on this page is only valid for the Enterprise Architecture Management (EAM) and Value Stream Management (VSM) products. If you want to implement a single sign-on (SSO) for SaaS Management Product (SMP), please go here.

This page gives best practices on how to configure your Okta when configuring it for SSO with LeanIX. Thanks to a very helpful customer, we were able to provide you with this guide.

📘

Attention

Please make sure to read the general SSO guide first. The general process is defined there, this page gives configuration details for Okta.

Initial setup

Add new application

As a first step, we add a new application.

Then we select platform type 'Web' and sign on method 'SAML 2.0'.

We now choose a name for the application (e.g. ''LeanIX) and a logo, download a suitable logo from https://info.leanix.net/hubfs/Logos/Brand%20logo/leanIX_solo.jpg

Initial configuration

SAML Settings

Under SAML Settings we insert the following:
Sign on URL: https://yourleanixdomain.leanix.net/Shibboleth.sso/SAML2/POST
Audience URI: https://yourleanixdomain.leanix.net/Shibboleth.sso
Name ID Format should be EmailAddress
The Application username depends on our Okta Implementation. If the Okta username matches the LeanIX e-mail we can choose the following configuration.

SAML Token Attribute Configuration

In the bottom part of the SAML settings, we specify the attributes being insert inside the SAML assertion.
All lines are case sensitive. The first objects are values that already exist on the user object. The role object will be specified on assigning the user groups to the application.

Name

Name format

Value

firstname

URI Reference

user.firstName

lastname

URI Reference

user.lastName

uid

URI Reference

user.email

mail

URI Reference

user.email

role

URI Reference

appuser.role

Finalize the setup by specifying the App type as 'internal', then select finish.

Manage role attribute

Create role attribute

Change the profile mappings.

We click '' Cancel' on the following screen.

Add new attribute

On the following screen, we'll be able to add a new attribute.

We name the new attribute “role” like the attribute we already insert inside the SAML assertion.
To help the Okta Admin with the assignment, we create a dropdown list of values instead of letting him write the value as text. These values correspond to the LeanIX default roles, but can of course be altered according to our need.

Display Name

Value

ADMIN

ADMIN

MEMBER

MEMBER

VIEWER

VIEWER

Assign role attribute

As the last step we would now like to assign the people who would like to use the LeanIX application. Under the 'Assignment' category choose 'Assign to Groups'.

Now we are able to choose the role for a specific Okta or Active Directory Group inside the Assignment.

Assign policy

If required MFA or other policies can be set under the “Sign on Policy” section