Give it a try: Set up Okta Provisioning for an existing SSO-enabled app

To ensure your understanding of Okta ProvisioningProvisioning is the enterprise-wide configuration, deployment, and management of multiple types of IT system resources. Specifically, provisioning provides users access to equipment, software, or services. This involves creating, maintaining and deactivating required business process automation objects and attributes in systems, directories, and applications., exercises are provided to guide you through the Okta Provisioning workflow for Salesforce – SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones., based on common, best-practice procedures. It starts with creating a duplicate instance of Salesforce—Salesforce – PROV. Next, is configuring Salesforce – PROV for provisioning and then giving users access to it using the groupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups. from Salesforce – SSO. The workflow also includes specifying the auto-update of attributes and auto-deactivation of users in Salesforce – PROV.

Before you begin

Ensure Salesforce supports provisioning

Salesforce being a popular CRM appAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in., it's already one of about 200 apps in the Okta Integration Network (OINAn acronym for the Okta Integration Network. The OIN is comprised of thousands of public, pre-integrated business and consumer applications. As an on-demand service, OIN integrations are continuously validated, always up to date, and constantly growing both in number and capability. Okta performs a single integration with an ISV or SP, providing thousands of end users with point-and-click customization for their orgs.) having provisioning capabilities. But as an exercise, let's go through the quick process to see if Salesforce is OIN supported.

Complete Ensure Salesforce is OIN supported.

Ensure the SSO-app users are in Okta

About

Having at least one user in Okta is necessary to perform the exercises in this guide. If you do not have a user in Okta, this procedure provides a way to add users.

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – PROV and then click it.
  3. Click the Provisioning tab.
  4. Click To Okta.

    This is the option to import users into Okta.

  5. Click Edit.

    For the Schedule Imports field, you can specify when imports are done. But for this exercise, accept the never value for a one-time import.

  6. If the email address is not what you want as the Okta username, select Custom in the Okta username format drop-down to specify something different.

  7. From the Imported user is an exact match to Okta user if radio buttons and Allow partial matches check box, specify any desired matching rules.

    These match rules determine how Okta performs a match between an imported user and one that already exists in Okta.

  8. From the Confirm match users and Confirm new users areas, specify any desired auto-confirm rules.

  9. Click the Import tab.

1. Create and set up a duplicate instance of Salesforce

About

An SSO-enabled app can be enabled for Okta Provisioning without breaking the SSO functionality. However, if you would rather not make any changes to your SSO-enabled app, you can create another instance of the app where Okta Provisioning is enabled. The SSO-enabled app and the provision-enabled app are "linked" through the use of common user folders. This affords provisioning functions to the SSO-enabled app.

In this procedure, Salesforce – SSO represents the SSO-enabled app and Salesforce – PROV represents the duplicated instance of Salesforce

Salesforce – PROV needs to adopt the settings from Salesforce – SSO. Specifically, it's important that Salesforce – PROV is connected to the same Salesforce.com tenant as Salesforce – SSO, and that the username mappings are identical.

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – SSO.

Create the Salesforce – PROV instance

  1. It helps to split the screen so you see Salesforce – SSO on the left side of the screen and the new instance of Salesforce on the right side.
  2. On the right side of the screen, go to Applications > Applications.
  3. Click Add Applications.
  4. Locate Salesforce.com (having Okta verifiedEach integration in the Okta Integration Network has one of the following status designations: Okta Verified, Community Created, or Community Verified. Integrations receive Okta Verified status: 1) if the integration is Okta-built, and is then tested and verified by Okta; or 2) if the integration is ISV-built (partner-built), and is then tested and verified by Okta., SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated., and Provisioning) and then click Add.
  5. To view the configuration settings from Salesforce – SSO, click the General tab on the left.
  6. In the Application label field, type "Salesforce – PROV".

Hide the Salesforce – PROV app

  1. Click the following to hide the Salesforce – PROV app in the user's orgThe Okta container that represents a real-world organization.:

    • Do not display app icon to user
    • Do not display app icon in Okta Mobile App
  2. Deselect Automatically log in when user lands on login page and then click Next.

Specify sign-on options in Salesforce – PROV

  1. Click the Sign On tab for the Salesforce – SSO app in order to view the options needed for the Salesforce – PROV app.
  2. For Salesforce – PROV, ensure that “Okta username” is specified in the Application username format field, as it is for Salesforce – SSO.
  3. Click Done.

2. Configure provisioning for Salesforce – PROV

Provisioning Salesforce – PROV enables you to manage the user lifecycle between Okta and Salesforce. This process involves specifying the app integration, provisioning options, and mapping user attributes in Okta to those of the integrated, third-party app.

Complete 2. Configure provisioning for Salesforce for Salesforce – PROV.

3. Assign groups in Salesforce – SSO to Salesforce – PROV

About

When Salesforce – PROV shares the same user group used by Salesforce – SSO, the two apps are then "linked". This affords provisioning functions to the SSO-enabled app.

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – PROV and then click it.
  3. From the Assignments tab, click Assign > Assign to Groups.

  4. From the Assign Salesforce – PROV to Groups dialog, locate the working group or groups associated with Salesforce – SSO.
  5. For the group, click Assign.

  6. From the Assign Salesforce - PROV to Groups dialog, make the appropriate selection from the Profile drop-down for each working group.

    For other apps, you may not have to specify a profile.

  7. Click Save and go back.

    Okta returns you to the first Assign Salesforce.com to Groups dialog where the group is listed with a disabled Assigned button. This indicates that Salesforce – PROV is now assigned to the group.

  8. For any remaining working groups, repeat steps 5 and 6.
  9. Click Done.

4. Assign a user to Salesforce – PROV using a group

About

In the case where a single user is added to Okta, it may be best to convert this individual user assignment to a group assignment. This is done by assigning the user to Salesforce – PROV using a group from Salesforce – SSO.

Prerequisite

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – PROV and then click it.
  3. From the Assignments tab, click People under Filters.

  4. Click Convert Assignments.
  5. Select the individual user and then click Convert Selected.
  6. From the Convert Selected Users dialog, click Convert Assignments.

    In the Assignments tab, the individual user is now part of a group.

5. Configure Okta to automatically update attributes in Salesforce – PROV

About

Okta updates a user’s attributes in Salesforce.com when the app is assigned. Future attribute changes made to the Okta user profile will automatically overwrite the corresponding attribute value in Salesforce.com.

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – PROV and click it.
  3. Click the Provisioning tab.
  4. Ensure To App is selected in order to push user information down to Salesforce.
  5. To specify provisioning options, click Edit.
  6. For the Update User Attributes option, click Enable and then Save.

6. Configure Okta to automatically deactivate users in Salesforce – PROV

About

Automatic user deactivation deactivates a user’s Salesforce.com account when it is unassigned in Okta or the Okta account is deactivated. Accounts can be reactivated if the app is reassigned to a user in Okta.

Procedure

  1. Go to Applications > Applications.
  2. Locate Salesforce – PROV and click it.
  3. Click the Provisioning tab.
  4. Ensure To App is selected in order to push user information down to Salesforce.
  5. To specify provisioning options, click Edit.
  6. For the Deactivate User option, click Enable and then Save.
Top