Okta SSO

Manage users with Okta OIDC SSO + SCIM provisioning.

---

Suger supports Okta as an identity provider, allowing you to manage users and their access to Suger through Okta.

You can either integrate Suger via Okta Integration Network(OIN), or create custom app integrations.

(Option 1: Recommended) Suger App in Okta Integration Network(OIN)

Suger is available on the Okta Integration Network. It supports both OIDC Single Sign-On (SSO) and user provisioning with SCIM (System for Cross-domain Identity Management).

1. Add Suger to your Okta account using either of these methods:

   • Visit the Suger OIN App page directly.

   • Navigate through your Okta Admin Console by going to Applications → Applications → Browse App Catalog, then search for "Suger".

   

2. Set the following parameters as placeholders that will be updated later. Click Done when finished.

   • Suger Organization ID: SugerOrg. (This will be updated later)

   • SCIM endpoint URL: https://www.suger.io/. (This will be updated later)

   • Application Visibility: Keep the default settings (both unchecked)

   

3. Configure OIDC and SCIM following the instructions below.

OIDC configuration

Supported Features

• Service Provider (SP)-Initiated Authentication: Triggered when a user logs in from Suger and uses Okta as the identity provider..
• Identity Provider (IdP)-Initiated Authentication: Triggered when a user logs in from Okta and is automatically signed into Suger.

Steps

1. In the Okta app, navigate to Sign On - Settings, copy the Client ID and Client Secret and send them to Suger Support.

   

2. Copy your Okta Domain and send to Suger Support. It looks like dev-12345678.okta.com.

3. Wait for Suger Support to configure the OIDC connection using the provided details. The following configurations will be set up:

   1. Suger OIDC Configuration (Operation by Suger Support)
   2. Suger SCIM Configuration (Operation by Suger Support)

4. After completing the setup, Suger Support will provide you with the following details:

   • Suger Organization ID
   • SCIM endpoint URL
   • SCIM API Token

5. In the Okta app, navigate to General - App Settings, and update the following parameters with the first two details from the previous step:

   

The overall data exchange between Okta administrator and Suger Support looks like:

SP-initiated SSO

1. Open your browser and navigate to: https://console.suger.io/login?orgId={your_suger_org_id}. After your first successful login, a shortcut will appear on the main login page (https://console.suger.io/login) where you can simply click "SSO to (your organization name)" to access your account.

2. Click "Continue with Okta" to authenticate with your Okta credentials. (Note: If your organization has configured Okta as the default SSO connection, this step will be automatically skipped.)

3. Complete the authentication process:
   • If you're not currently logged into Okta, you'll be prompted to enter your Okta username and password.
   • If you're already logged into Okta, you'll be automatically redirected to the Suger Console dashboard.

Note

important

• Once the integration is set up, Okta becomes the sole source of user management, replacing manual management in the Suger console.

• To ensure seamless user provisioning and management, make sure you have also configured SCIM.

SCIM configuration

Supported Features

• Create users
• Update user attributes
• Deactivate users

Steps

1. Open the app and navigate to Provisioning, click "Configure API Integration".

2. Check the Enable API Integration box.

3. Enter the API Token provided by Suger Support, then click Test API Credentials to verify the connection. If the verification is successful, click Save:

   

4. In Provisioning to App section, check the options below:

   

5. Set up Suger Role mapping following Manage Suger Role with SCIM.

Troubleshooting

1. "Conflict" or "Matching user not found" error

   • If you encounter this error when assigning users to the SCIM app, navigate to Dashboard > Tasks to check the error details and retry the task.

2. User provisioning

   • After a user is provisioned, they will gain access to the Suger console immediately.
   • The user will not be visible in the Suger console until they complete their first login via OIDC authentication.

3. SCIM provisioning for sugerRole updates

   • To apply sugerRole updates, log out and then log back into the Suger console.
   • Updates to sugerRole may take a few minutes to reflect due to caching. Please wait a while and try again.

4. Synced user attributes

   • Only email and sugerRole are synchronized.
   • Changes to the family name and given name will NOT be reflected in the Suger console.

5. User deprovisioning

   • After a user is un-provisioned, they will lose access to the Suger console upon their next login attempt. However, they can continue accessing the Suger console until their current session expires.
   • The user will still be visible in the Suger console, and removal may take up to 24 hours.

If you have any further questions or difficulties with your integration, please contact Suger support at support@suger.io.

(Option 2) Create custom app integrations

You can also create custom app integrations for Suger in Okta, which provides more flexibility and control over the configuration.

This section describes how to create two separate Okta apps for OpenID Connect(OIDC) and SCIM provisioning.

Create an OpenID Connect(OIDC) App Integration

Setting up Okta as a Single Sign-On (SSO) provider for Suger requires configuration on both Okta and Suger sides.

Okta OIDC Configuration

Follow these steps to create an OpenID Connect (OIDC) app integration in Okta:

1. Open the Okta Admin Console, go to Applications -> Applications. Click Create App Integration.

2. Select OIDC as the Sign-in method, and Web application as the Application type:

   

3. Configure the following parameters, then click Save.:

   • App integration name: Suger

   • Sign-in redirect URIs: https://dev-uwmvi0yu.us.auth0.com/login/callback.

   • Sign-out redirect URIs: https://console.suger.io/login.

   • Trusted Origins: https://console.suger.io

   

4. Open the app settings and navigate to General - General Settings - Edit, then configure the following:

   • Login initiated by: Either Okta or App

   • Application visibility: Display application icon to users

   • Login flow: Redirect to app to initiate login (OIDC Compliant)

   • Initiate login URI: https://console.suger.io/login?orgId={your_suger_org_id}. Ask Suger Support to get the your_suger_org_id.

   • Controlled access: Skip group assignment for now

   

5. Retrieve the Client ID and Client Secret from Okta and send them to Suger Support.

6. (Optional) Set an app logo by saving this image:

   

Suger OIDC Configuration

Create an OIDC Connection

1. Follow the Okta Workforce Connection setup guide to create an Okta connection with the following parameters:

   • Connection Name: A unique name for the connection. It can't be changed after creation.

   • Okta Domain: e.g., dev-12345678.okta.com.

   • Client ID: From Okta app.

   • Client Secret: From Okta app.

   

2. Navigate to Login Experience tab, check "Display connection as a button" and set the Button display name as Okta:

   

3. Navigate to Applications tab and enable the connection for the user's application.

   

Update the SSO configuration for the user's organization

In the Suger console, go to "Settings", click "Edit" under the "Organization" section, enter the following details, and click "Save".

Create an SCIM App Integration

SCIM (System for Cross-domain Identity Management) enables secure user data synchronization between Okta and Suger.

Setting up SCIM integration requires configuration on both Suger and Okta sides.

Suger SCIM Configuration

1. Open the Auth0 Dashboard and navigate to: Authentication > Enterprise > Okta Workforce > [your-connection] > Provisioning.

2. Configure the following settings:

   • Disable: "Sync user profile attributes at each login".
   • Enable: "Sync user profiles using SCIM.

3. In the Mapping tab, add this mapping:

    {
        "scim": "roles[type eq \"SUGER_ROLE\"].value",
        "auth0": "app_metadata.suger_role"
    },

   

4. In the Setup tab, Generate a Bearer Token using the default settings:

   

5. Send the SCIM endpoint URL and Bearer token to the Okta administrator.

Okta SCIM Configuration

1. Obtain the SCIM endpoint URL and Bearer token from Suger Support.

2. Follow this Okta SCIM setup guide to create a SCIM app:

   

Manage Suger Role with SCIM

1. Create a custom attribute for SCIM app user:

   • Data type: string
   • Display name: Suger Role
   • Variable name: sugerRole
   • External name: roles.^[type=='SUGER_ROLE'].value
   • External namespace: urn:ietf:params:scim:schemas:core:2.0:User
   • Enum: Define enumerated list of values
   • Attribute members:
     • ADMIN: ADMIN
     • EDITOR: EDITOR
     • VIEWER: VIEWER
   • Attribute required: Yes
   • Attribute type: Group

   After creation, it looks like:

   

2. Create Okta Groups for each Suger Role and assign them to the SCIM app.

   Example: Create Suger Role Admin group:

   

   Assign the group to the SCIM app with Suger Role configured:

   

   Repeat for Editor and Viewer roles:

   

3. Open the SCIM app, map the Suger Role attribute in the Provisioning tab::

   Click "edit" icon, and set the mapping as follows:

   

   After mapping:

   

Manage Users Access

Assign the users or Suger role groups to Suger App. If you're using separated custom apps, assign the Suger role groups to both the Okta SSO app and the SCIM app.

• To grant a user access to Suger, assign the user to a Suger role group.
• To revoke access, remove the user assignments from a Suger role group.

Note:

warning

• If you encounter a "Conflict" or "Matching user not found" error when assigning users to the SCIM app, please contact Suger Support to remove the existing Okta connection users in Auth0.