Logging in with Single Sign-On (SSO) through Okta
All Iyarn users have the ability to configure a default Identity Provider to power Single Sign On (SSO). This article details how to configure Okta as the primary Identity Provider to facilitate SSO with the Iyarn application.
- Service Provider (SP)-Initiated Authentication (SSO) Flow – This authentication flow occurs when the user attempts to log in to the application from iyarn.
- Automatic account creation in iyarn on initial SSO.
In order to proceed with configuring login with SSO through Okta, you must:
- Have access to an Okta tenant
- Be an Okta administrator to that tenant
The following documents the configurations for setting up the OIDC integration between iyarn and Okta. Okta is the Identity Provider (IDP) and depending on the use case, the user will be redirected to Okta for authentication if no session has been established.
To configure your provisioning settings for iyarn in Okta, there are three main steps to follow:
Step One – Add the iyarn App to Okta
- Login to your organization’s Okta tenant and select the Classic UI.
- Navigate to Applications > Applications > Add Application, search for iyarn, and then click Add. Note that the two Applications references are not duplicated.
- Enter an Application Label in General Settings. This is the name under which the iyarn app will appear in your Okta dashboard.
- Click Done.
- Then under the Sign On tab of the iyarn application, copy the Client ID and Client Secret. Enter these values in the iyarn form.
- Note: These values allow iyarn to communicate with Okta. The Client ID is a public identifier for the client that is required for all OAuth/OIDC flows. The Client Secret is a private identifier which you should not share or broadly distribute.
- Under the General tab, find the Okta Domain (or Issuer URL), which is the URL at which you are accessing your Okta tenant (https://example.okta.com), for step 3.2 below. This URL also appears in the Embed Link section. Be sure to remove everything appearing after okta.com. In Cerby, fill this in under the Okta Sign-in URL field.
- Next, go to Security > API > Tokens in the upper navigation and click the Create Token button. Name this token “iyarn,” copy it, and enter it in iyarn under Okta API Token.
- Note: iyarn leverages the Okta API Token to run user and group searches to facilitate easier sharing across approved iyarn application users and groups.
- Before leaving Okta, ensure you have given yourself and any other target users access to the iyarn application. You can do this by going to Applications > iyarn > Assign and then assigning to either the target people or group.
Step Two – Configure SSO in iyarn
- In the iyarn tab you left open in step 1.3, ensure you have populated the Client ID, Client Secret, Okta Domain (or Issuer URL), and Okta API Token fields.
- Click Finish Configuration.
If the values provided in step 3.2, above, are correct, on the next screen, you will see a success message telling you that the Workspace creation process was successful. If you did not give users in your Okta tenant access to the iyarn application, you may see an error prompting you to do so at this point.
If you experience any issues or have any questions, please reach out to email@example.com to engage our support.
Assign People or Groups
As covered above in step 2.9, to give people or groups access to the iyarn application, click the Assignments tab under the configured iyarn app, then click Assign. Leveraging Groups is recommended to assign access. If assigning access to People, ensure the User Name is a valid email.
Assigned users via group or directly will now be able to log into iyarn via SSO through the iyarn app on their Okta dashboards. Keep in mind, accounts won’t be created in iyarn until the initial SSO login.
Iyarn’s integration with Okta leverages Okta only for authentication. To assign permissions for iyarn, users must do so directly within iyarn.