Configuring Okta with Bridge (with Multiple User Attributes)

Document created by Ike Bennion Administrator on Jun 9, 2016
Version 1Show Document
  • View in full screen mode

 

The purpose of this document is to assist clients in configuring Okta SSO with Instructure Bridge if they would like to pass user data beyond the intended unique identifier. This document contains a set of instructions specific to passing custom attributes from Okta, to Bridge. If the client is not using user provisioning (account creation upon successful authentication) this guide is not necessary.

 

 

Overview

Okta is a fairly straight-forward platform to configure and use, so this documentation focuses mostly on the more complicated process of configuring Okta to pass and Bridge to consume multiple attributes for a user.

 

Requirements

    1. Admin access to Okta
    2. Your specific Bridge domain
    3. The attribute to be used as the unique identifier in Bridge
    4. The user attributes you would like to pass

 

Configuration

    1. Sign into Okta as an admin.
    2. Select the Applications tab or select Add Applications from the Shortcuts menu.
    3. On the Add Application page, select Create New App.
    4. On the next popup page, select SAML 2.0 as the application integration, and click Create. This uses the SAML protocol to log users into the app which is a better option than SWA.
    5. Set the App name as "Instructure Bridge". You can use this logo, if you'd like. Alternatively, you may set the logo to your choosing. App visibility settings are specific to your organization. Once finished, select Next.
    6. Under the General SAML settings, set the Single Sign On URL as, “https://<your-domain>.bridgeapp.com/auth/saml/callback”. Be sure that ‘Use this for Recipient URL and Destination URL’ is checked. The Audience URI (SP Entity ID) should be set as, “http://bridgeapp.com”. Leave Default RelayState as blank, Name ID format as Unspecified, and Application username as ‘Okta username’.
    7. The basic attributes Bridge is expecting are, ‘first_name’, ‘last_name’, ‘email’, and ‘name’. We can omit ‘name’, since first and last name will fully populate Bridge. In the example below, I’ve also passed the custom attribute ‘Department’. When finished, select Next at the bottom of the screen Note: In order for Bridge to accept custom attributes, they will need to be uploaded through CSV or created through API first. Your IC can help you with this.
    8. You can select, ‘I’m an Okta customer adding an internal app’ during the Feedback portion, and App type can be set as, ‘This is an internal app that we have created’
    9. Select the Directory tab from the administrative dashboard, and then select Profile Editor.
    10. Next, search for the recently made application, and select Profile next to it.
    11. Create a new attribute by selecting + Add Attribute.
    12. On the Add Attribute page, you do not need to worry about setting anything other than Display name and Variable name. When finished, select Add Attribute, or Save and Add Another to add additional attributes.
    13. When finished, you should see your newly defined attributes under the Custom header.
    14. Select ‘Map Attributes’.
    15. On the next screen, select ‘Okta to Instructure Bridge’ at the top of the screen.
    16. Select the user attributes that align with the attributes previously created during step 12.
    17. The drop-down between the Okta set attributes and those previously defined needs to be set to ‘Apply mapping on user create and update.
    18. When finished, select Save Mappings.
      • Note: While the option to ‘Apply mapping on user create and update’, states update, currently Bridge can only support provisioning custom attributes during new user account creation
    19. Finally, select to Apply updates now.
    20. Don’t forget to assign People or Groups to your newly built application. While the user may not exist in Bridge, they will need to exist within the Okta application page before accessing Bridge.
    21. In order to finalize the integration, your IC will need to obtain a copy of the Identity Provider metadata. You can retrieve the metadata by visiting the application page, selecting the Sign On tab, and selecting the link that says Identity Provider metadata.

 

 

Testing

    1. Open an Incognito or Private Browsing window in your preferred browser.
    2. Navigate to your Bridge instance by navigating to https://{client_domain}.bridgeapp.com.
    3. Login to your Okta service. You should see your Admin Dashboard or My Learning Dashboard in Bridge.
    4. If you are successful in logging in, click the profile in the top left corner, in the tray that opens, click "Log Out"
    5. If you are returned to your intended sign out location, the sign out was successful.

 

Troubleshooting

 

What I'm ExperiencingWhat's HappeningHow to Resolve

 

Additional Reading

What is Single Sign On?

How do I manage users in my account?

CSV Requirements and Best Practices

 

 

 

 

 

 

 

 

 

 


1 person found this helpful

Attachments

    Outcomes