SSO with Okta

Configure single sign-on (SSO) with Okta as an Identity Provider.

👍

Tip

To request an SSO setup for your workspace, please submit a ticket to LeanIX Support.

This document provides guidance on configuring SSO with Okta as an Identity Provider (IdP). Before you start, learn more about the configuration process in SSO Configuration Process.

Step 1: Create an Application for SSO

Follow these steps:

  1. In the Okta admin dashboard, in the Applications section, click Create App Integration.

  2. In the overlay that appears, select SAML 2.0 as the sign-in method.

    Selecting SAML 2.0 as the Sign-In Method for an SSO Application in Okta

    Selecting SAML 2.0 as the Sign-In Method for an SSO Application in Okta

  3. Enter a name for your application and upload a logo, then click Next. You can download the LeanIX logo from our media kit.

Step 2: Configure SAML Settings

Follow these steps:

  1. In the SAML Settings section of the application, specify the following:

    • Single sign-on URL: Enter https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST.

    • Audience URI (SP Entity ID): Enter https://{SUBDOMAIN}.leanix.net/Shibboleth.sso.

    • Name ID format: Select EmailAddress.

    • Application username: This parameter depends on your Okta implementation. If the Okta username matches the LeanIX email, select Okta username.

      Configuring General SAML Settings for an SSO Application in Okta

      Configuring General SAML Settings for an SSO Application

  2. In the Attribute Statements section, specify attributes to be added to the SAML assertion as shown in the following table. All fields are case-sensitive. The first four objects in the table are values that already exist on the user object. The role object will be added when assigning user groups to the application.

    NameName FormatValue
    firstnameURI Referenceuser.firstName
    lastnameURI Referenceuser.lastName
    uidURI Referenceuser.email
    mailURI Referenceuser.email
    roleURI Referenceappuser.role
    Configuring General SAML Settings for an SSO Application in Okta

    Configuring Attribute Statements for an SSO Application

  3. In the Feedback section, specify that the app is internal, then click Finish.

    Specifying the Type of an SSO Application in Okta

    Specifying the Type of an SSO Application

Step 3: Configure Mapping Attributes

Follow these steps:

  1. On the Sign On tab of your application, select Configure profile mapping.

    Selecting the Configure Profile Mapping Link on the Sign On Tab of an SSO Application in Okta

    Selecting the "Configure Profile Mapping" Link on the "Sign On" Tab of an SSO Application

  2. In the overlay that appears, click Cancel.

  3. In the Attributes section, click Add Attribute.

  4. Specify the attribute details.

    • Display name and Variable name: Enter role to match the attribute that you added to the SAML assertion.

    • Enum: Select Define enumerated list of values and create a list of user roles that the Okta admin can select from. The values in the following table correspond to the LeanIX default roles, but you can adjust the list according to your needs.

      Display NameValue
      ADMINADMIN
      MEMBERMEMBER
      VIEWERVIEWER
      Configuring General SAML Settings for an SSO Application in Okta

      Adding an Attribute to a Profile in Okta

  5. Save the changes.

Step 4: Assign Users to the Application

You can assign specific users or user groups to the SSO application.

Follow these steps:

  1. On the Assignments tab of the application, click Assign > Assign to Groups.

    Selecting the Assign to Groups Option on the Assignments Tab of an SSO Application

    Selecting the "Assign to Groups" Option on the "Assignments" Tab of an SSO Application

  2. In the overlay that appears, select a user group to assign to the application.

  3. In the role list, select a LeanIX role to be assigned to users in this group.

    Selecting a User Role to Be Assigned to Users of the SSO Application

    Selecting a Role to Be Assigned to Users of an SSO Application

  4. Optional: If needed, modify other attributes, then save the configuration.

  5. Optional: If needed, on the Sign On tab of the application, in the Sign On Policy section, specify rules for your sign-on policies, for example, multi-factor authentication.

    Sign On Policy Section on the Sign On Tab of an SSO Application

    "Sign On Policy" Section on the "Sign On" Tab of an SSO Application

To verify your SSO configuration, navigate to the SAML session page in your workspace: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session. The following screenshot shows a session page with a list of required user attributes that appear under Attributes.

SAML Session Page

SAML Session Page