Objective
To setup First name, Last Name and group mappings when provisioning users with Okta. If you have not yet setup your Okta SSO integration, please refer to our video tutorial.
Process
Create Contrast groups for mappings to Okta
Okta can send group affiliations in SAML assertions based on search strings.
Note: For this example we will be creating three groups specifically for Contrast to make that search string simple. Other names or more advanced regex searches can be used instead.
1) As an Admin: Select your profile in the top right and click on Organizational settings.
2) Proceed to Groups and add the following group names:
- contrast_admin (w/admin access to all applications)
- contrast_edit (w/edit access to all applications)
- contrast_view (w/view access to all applications)
- Additional you can create a project specific group like: contrast_acme_proj
For more help on Contrast groups see our doc site.
Create Okta groups for Contrast users
1) Within Okta: Under Users --> Groups. Select Add Group
2) Create three groups with the following names.
name | description |
contrast_admin | Has admin access to applications within Contrast UI |
contrast_edit | Has edit access to applications within Contrast UI |
contrast_view | Has view access into applications within Contrast UI |
contrast_acme_proj | Has edit access into the Acme project applications developers are working on |
3) Add users into these groups and assign it to the Contrast application you have created for SSO authentication.
Add the Mappings for users and groups
Within the Okta application configuration screen.
1) Select the General tab and then select Edit under SAML settings.
2) Click next and scroll to the Attribute Statements section.
3) To map user name values, create the following Name/Value pairs.
Name | Name Format | Value |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Unspecified | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Unspecified | user.firstName |
(example)
4) To map Okta groups add the following:
Name | Name format | Filter |
contrast_groups | Unspecified | Starts with: contrast |
(example)
5) Select "Preview the SAML assertion" and the results should look like this.
<?xml version="1.0" encoding="UTF-8"?> <saml2:Assertion ID="id14731715486219171333669124" IssueInstant="2020-07-15T13:46:46.871Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">userName</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2020-07-15T13:51:47.173Z" Recipient="https://app.contrastsecurity.com/Contrast//saml/SSO"/> </saml2:SubjectConfirmation> </saml2:Subject> <saml2:Conditions NotBefore="2020-07-15T13:41:47.173Z" NotOnOrAfter="2020-07-15T13:51:47.173Z"> <saml2:AudienceRestriction> <saml2:Audience>https://app.contrastsecurity.com/Contrast//saml/metadata</saml2:Audience> </saml2:AudienceRestriction> </saml2:Conditions> <saml2:AuthnStatement AuthnInstant="2020-07-15T13:46:46.871Z"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> <saml2:AttributeStatement> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.lastName </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.firstName </saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "contrast" (ignores case) </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement> </saml2:Assertion>
6) Click next and finish the configuration to save it.
Turn on group mappings in Contrast SSO settings
To finalize the setup and enable the mappings for newly on-boarded users proceed to the Contrast UI.
1) Under Organizational Settings --> Single Sign-On
2) Select Edit and check off "Enable user provisioning" and "Add users to their Contrast groups upon SSO login". Additionally you can create a no access group for users on-boarded to Contrast but containing no group affiliations in Okta.
(example)
3) Save the settings.
The mappings are complete at this point and newly on-boarded users should automatically be provisioned to the groups associations within Okta.