Objective
To set up First name, Last Name and group mappings when provisioning users with Okta.
If you have not yet set up your Okta SSO integration, please refer to our video tutorial.
Process
Create Contrast groups for mappings to Okta
Okta can send group affiliations in SAML assertions based on search strings.
1) Within the Contrast UI, as an Admin: Select your profile in the top right and click on Organizational settings.
2) Proceed to Groups and add the following group names:
- contrast_admin (with admin access to all applications)
- contrast_edit (with edit access to all applications)
- contrast_view (with view access to all applications)
- Additionally, you can create a project-specific group like contrast_acme_proj
For more help on Contrast groups see our doc site.
Create Okta groups for Contrast users
1) Within Okta: Under Users -> Groups. Select Add Group
2) Create groups with the following names.
name | description |
contrast_admin | Has admin access to applications within Contrast UI |
contrast_edit | Has edit access to applications within Contrast UI |
contrast_view | Has view access to applications within Contrast UI |
contrast_acme_proj | Has edit access to the Acme project applications developers are working on |
3) Add users into these groups and assign them to the Contrast application you have created for SSO authentication.
Add the Mappings for users and groups
Within the Okta application configuration screen.
1) Select the General tab and then select Edit under SAML settings.
2) Click next and scroll to the Attribute Statements section.
3) To map user name values, create the following Name/Value pairs.
Name | Name Format | Value |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Unspecified | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Unspecified | user.firstName |
(example)
4) To map Okta groups add the following:
Name | Name format | Filter |
contrast_groups | Unspecified | Starts with: contrast |
(example)
5) Select "Preview the SAML assertion" and the results should look like this.
<?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="id14731715486219171333669124" IssueInstant="2020-07-15T13:46:46.871Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">userName</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2020-07-15T13:51:47.173Z" Recipient="https://app.contrastsecurity.com/Contrast//saml/SSO"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2020-07-15T13:41:47.173Z" NotOnOrAfter="2020-07-15T13:51:47.173Z"> <saml2:AudienceRestriction> <saml2:Audience>https://app.contrastsecurity.com/Contrast//saml/metadata</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2020-07-15T13:46:46.871Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.lastName </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.firstName </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "contrast" (ignores case) </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
6) Click next and finish the configuration to save it.
Turn on group mappings in Contrast SSO settings
To finalize the setup and enable the mappings for newly on-boarded users proceed to the Contrast UI.
1) Under Organizational Settings --> Single Sign-On
2) Select Edit and check off "Enable user provisioning" and "Add users to their Contrast groups upon SSO login". Additionally you can create a no access group for users on-boarded to Contrast but containing no group affiliations in Okta.
(example)
3) Save the settings.
The mappings are complete at this point and newly on-boarded users should automatically be provisioned to the groups associations within Okta.