Set SSO JIT Provisioning on OKTA

In this topic:

    Configure Okta to send the groups:

    1.  In OKTA, go to the Admin panel.


    2. Add a Group on OKTA
    3. Click on "Add Group".
    4. Set a name for the group (remember the name as you will need it later).
    5.  Add New Application
    6. Create a New App
    7. Select WEB + SAML 2.0, then click Next.
    8. Set the App name, then click Next.
    9. Set the following parameters :
      • The "Name-up-select" can be changed to any name.
      • The Name in the "GROUP ATTRIBUTE STATEMENTS" (memberOf) can be set to any name you choose


    10. Click Next and Finish.
    11. Click on the View Setup Instructions button.


    12. Login to Dome9 and select Account Settings.
    13. Select the SSO tab.
    14. Click Enable.
    15. Click Enable and add the following data in the relevant fields:
      • In the "Account ID" enter the value that you entered instead of "Name-up-select"
      • In the "Issuer" enter the Identity Provider Issuer from OKTA.
      • In the "Idp endpoint url" enter the Identity Provider Single Sign-On URL from OKTA.
      • In the "X.509 Certificate" enter the X.509 Certificate from OKTA.
      • Click the "Just-in-time provisioning for the account" checkbox.
      • In the "Attribute name in SAML for just-in-time role" add the name that you entered instead of the "member Of"
      • Click Save.
    16. Assign the group that you created in step 4 to the application.
    17. Select the Roles menu.
    18. Create a role with the same name as the name of the group that you created in OKTA.