Okta is a service which offers secure identity management and single sign-on to any application.
This article gives the procedure of integrating with Okta, and this procedure can be applied on on-premise TMCM, Apex Central and Apex One as a Service.
Based on the content of this article, it is also possible that customers can figure out how to connect to other Identity Providers (IDP).
- Integrate Okta with AD. Do the following:
- Go to Directory > Directory integrations page.
- Click Add Active Directory, then follow the instructions provided.
- Go to Directory > Profile Editor page.
- Configure the AD user profile mappings to enable the Okta account attributes, and be able to convert into a NETBIOS domain user account name.
- Depending on the customer configuration, the domain user account name should be accessible through an Okta custom user property, to match their corporate AD user naming policy.
- If no such custom property exists, customers should convert from existing properties (e.g. first_name and last_name).
- Create a new application for every individual Apex Central or TMCM instance.
- Select SAML 2.0 as the Sign on method.
- Provide the information under General Settings.
- Configure SAML Settings (IMPORTANT)
- Single sign on URL: https://<IP or FQDN>/WebApp/login.aspx
- Audience URI: https://<IP or FQDN>/WebApp/login.aspx
- Add one customized attribute:
Attribute name: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Value: substringBefore( substringAfter(user.email, "@"), ".") + "\" + substringBefore( user.email, "@")
- Download the Okta Certificate and rename the file extension from .cert to .cer for later use (CM will check file extension).
- Save the changes.
- Assign AD users who can login to TMCM.
- Apex Central / TMCM must be configured to integrate with on-premise AD first.
For Apex One as a Service, please use the Active Directory synchronization tool to integrate the on-premise AD.
- Select and grant the AD Users/Groups who should be able to login from Okta to TMCM. Do the following:
- Download the certificate from Okta application and upload to TMCM.
- On-premise TMCM: please set it into the SystemConfiguration.xml - m_ADFS_IdpServerCerificate manually.
- Apex One as a Service: set the ADFS configuration on Apex Central™ web console.
- Go to the Active Directory and Compliance Settings page, then tick Enable Active Directory authentication.
- Upload the Server certificate. (The SSO service URL and Server identifier fields cannot be blank)
- Click Save.
- Disable AD authentication after Server certificate was set.