Configure Okta to send the groups:
- In OKTA, go to the Admin panel.
- In the Directory menu, select Groups.
- Click Add Group.
- Enter a name and description for the group (remember the name as you will need it later), and the click Add Group.
- In the Application menu, select Application.
- Click Add Application.
- Select the following, and then click Create:
Sign on method: SAML 2.0
- Set the App name, then click Next.
- Set the following parameters :
- The "Name-up-select" can be changed to any name.
- The Name in the "GROUP ATTRIBUTE STATEMENTS" (memberOf) can be set to any name you choose
- Click Next and Finish.
- Click on the View Setup Instructions button.
- Login to Dome9 and select Account Settings.
- Select the Authentication tab and, in the SSO section, click
- Click Enable and fill in the fields as follows:
- Account ID - the value that you entered instead of "Name-up-select"
- Issuer - the Identity Provider Issuer from OKTA.
- Idp endpoint url - the Identity Provider Single Sign-On URL from OKTA.
- X.509 Certificate - the X.509 Certificate from OKTA.
- Check Just-in-time provisioning for the account checkbox.
- Attribute name in SAML for just-in-time role - add the name that you entered instead of the "member Of"
- Click Save.
- Assign the group that you created in step 4 to the application.
- In the Administration menu, select Roles.
- Create a role with the same name as the name of the group that you created in OKTA.