Okta is a service which offers secure identity management and single sign-on to any application.
This article gives the procedure of integrating with Okta, and this procedure can be applied on both on-premise TMCM and Apex One™ as a Service.
Based on the content of this article, it is also possible that customers can figure out how to connect to other Identity Providers (IDP).
- Integrate Okta with AD. Do the following:
- Go to Directory > Directory integrations page.
- Click Add Active Directory, then follow the instructions provided.
- Go to Directory > Profile Editor page.
- Configure the AD user profile mappings to enable the Okta account attributes, and be able to convert into a NETBIOS domain user account name.
- Depending on the customer configuration, the domain user account name should be accessible through an Okta custom user property, to match their corporate AD user naming policy.
- If no such custom property exists, customers should convert from existing properties (e.g. first_name and last_name).
- Create a new application for every individual TMCM instance.
- Select SAML 2.0 as the Sign on method.
- Provide the information under General Settings.
- Configure SAML Settings (IMPORTANT)
- Single sign on URL: https:///WebApp/login.aspx
- Audience URI: https:///WebApp/login.aspx
- Add one customized attribute:
Attribute name: http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
Value: NETBIOS domain account name that TMCM can recognize. It is typically under the form of "domain\login-name" (e.g.'WIN2016-AD\' + user.firstName)
- Download the Okta Certificate and rename the file extension from .cert to .cer for later use (CM will check file extension).
- Save the changes.
- Assign AD users who can login to TMCM.
- TMCM must be configured to integrate with on-premise AD first.
For Apex One™ as a Service, please use the Active Directory synchronization tool to integrate the on-premise AD.
- Select and grant the AD Users/Groups who should be able to login from Okta to TMCM. Do the following:
- Download the certificate from Okta application and upload to TMCM.
- On-premise TMCM: please set it into the SystemConfiguration.xml - m_ADFS_IdpServerCerificate manually.
- Apex One™ as a Service: set the ADFS configuration on Apex Central™ web console.
- Go to the Active Directory and Compliance Settings page, then tick Enable Active Directory authentication.
- Upload the Server certificate. (The SSO service URL and Server identifier fields cannot be blank)
- Click Save.
- Disable AD authentication after Server certificate was set.