SSO with Okta
Configure single sign-on (SSO) with Okta as an Identity Provider.
Tip
To request an SSO setup for your workspace, please submit a ticket to LeanIX Support.
This document provides guidance on configuring SSO with Okta as an Identity Provider (IdP). Before you start, learn more about the configuration process in SSO Configuration Process.
Step 1: Create an Application for SSO
Follow these steps:
-
In the Okta admin dashboard, in the Applications section, click Create App Integration.
-
In the overlay that appears, select SAML 2.0 as the sign-in method.
-
Enter a name for your application and upload a logo, then click Next. You can download the LeanIX logo from our media kit.
Step 2: Configure SAML Settings
Follow these steps:
-
In the SAML Settings section of the application, specify the following:
-
Single sign-on URL: Enter
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/SAML2/POST
. -
Audience URI (SP Entity ID): Enter
https://{SUBDOMAIN}.leanix.net/Shibboleth.sso
. -
Name ID format: Select EmailAddress.
-
Application username: This parameter depends on your Okta implementation. If the Okta username matches the LeanIX email, select Okta username.
-
-
In the Attribute Statements section, specify attributes to be added to the SAML assertion as shown in the following table. All fields are case-sensitive. The first four objects in the table are values that already exist on the user object. The
role
object will be added when assigning user groups to the application.Name Name Format Value firstname
URI Reference user.firstName
lastname
URI Reference user.lastName
uid
URI Reference user.email
mail
URI Reference user.email
role
URI Reference appuser.role
-
In the Feedback section, specify that the app is internal, then click Finish.
Step 3: Configure Mapping Attributes
Follow these steps:
-
On the Sign On tab of your application, select Configure profile mapping.
-
In the overlay that appears, click Cancel.
-
In the Attributes section, click Add Attribute.
-
Specify the attribute details.
-
Display name and Variable name: Enter
role
to match the attribute that you added to the SAML assertion. -
Enum: Select Define enumerated list of values and create a list of user roles that the Okta admin can select from. The values in the following table correspond to the LeanIX default roles, but you can adjust the list according to your needs.
Display Name Value ADMIN
ADMIN
MEMBER
MEMBER
VIEWER
VIEWER
-
-
Save the changes.
Step 4: Assign Users to the Application
You can assign specific users or user groups to the SSO application.
Follow these steps:
-
On the Assignments tab of the application, click Assign > Assign to Groups.
-
In the overlay that appears, select a user group to assign to the application.
-
In the role list, select a LeanIX role to be assigned to users in this group.
-
Optional: If needed, modify other attributes, then save the configuration.
-
Optional: If needed, on the Sign On tab of the application, in the Sign On Policy section, specify rules for your sign-on policies, for example, multi-factor authentication.
To verify your SSO configuration, navigate to the SAML session page in your workspace: https://{SUBDOMAIN}.leanix.net/Shibboleth.sso/Session
. The following screenshot shows a session page with a list of required user attributes that appear under Attributes.
Updated 11 days ago