Set SSO JIT Provisioning on OKTA

In this topic:

    Configure Okta to send the groups:

    1.  In OKTA, go to the Admin panel.

    2. In the Directory menu, select Groups.mceclip0.png
    3. Click Add Group.
    4. Enter a name and description for the group (remember the name as you will need it later), and the click Add Group.

    5. In the Application menu, select Application.mceclip2.png
    6. Click Add Application.

    7. Select the following, and then click Create:
      Platform: Web
      Sign on method: SAML 2.0
    8. Set the App name, then click Next.
    9. Set the following parameters :
      • The "Name-up-select" can be changed to any name.
      • The Name in the "GROUP ATTRIBUTE STATEMENTS" (memberOf) can be set to any name you choose

    10. Click Next and Finish.
    11. Click on the View Setup Instructions button.

    12. Login to Dome9 and select Account Settings.mceclip3.png
    13. Select the Authentication tab and, in the SSO section, click 

    14. Click Enable and fill in the fields as follows:
      • Account ID - the value that you entered instead of "Name-up-select"
      • Issuer -  the Identity Provider Issuer from OKTA.
      • Idp endpoint url - the Identity Provider Single Sign-On URL from OKTA.
      • X.509 Certificate - the X.509 Certificate from OKTA.
      • Check Just-in-time provisioning for the account checkbox.
      • Attribute name in SAML for just-in-time role - add the name that you entered instead of the "member Of"
      • Click Save.mceclip5.png
    15. Assign the group that you created in step 4 to the application.
    16. In the Administration menu, select Roles.
    17. Create a role with the same name as the name of the group that you created in OKTA.