Configuring user and group provisioning with Okta

  • Updated

Objective

To set up First name, Last Name and group mappings when provisioning users with Okta. 

If you have not yet set up your Okta SSO integration, please refer to our video tutorial.  

Process

Create Contrast groups for mappings to Okta

Okta can send group affiliations in SAML assertions based on search strings.

For this example, we will be using groups with names that make the search string simple.  Other names or more advanced regex searches can be used instead.

1) Within the Contrast UI, as an Admin: Select your profile in the top right and click on Organizational settings.

2) Proceed to Groups and add the following group names:

  • contrast_admin (with admin access to all applications)
  • contrast_edit (with edit access to all applications)
  • contrast_view (with view access to all applications)
  • Additionally, you can create a project-specific group like contrast_acme_proj

mceclip1.png

For more help on Contrast groups see our doc site

 

Create Okta groups for Contrast users

1) Within Okta: Under Users -> Groups. Select Add Group

2) Create groups with the following names.

name description
contrast_admin Has admin access to applications within Contrast UI
contrast_edit Has edit access to applications within Contrast UI
contrast_view Has view access to applications within Contrast UI
contrast_acme_proj Has edit access to the Acme project applications developers are working on

3) Add users into these groups and assign them to the Contrast application you have created for SSO authentication.

mceclip0.png

 

Add the Mappings for users and groups

Within the Okta application configuration screen. 

1) Select the General tab and then select Edit under SAML settings.  

2) Click next and scroll to the Attribute Statements section.

3) To map user name values, create the following Name/Value pairs.

Name Name Format Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Unspecified user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Unspecified user.firstName

(example)mceclip0.png

4) To map Okta groups add the following:

Name Name format Filter
contrast_groups Unspecified Starts with: contrast

 (example)mceclip3.png

5) Select "Preview the SAML assertion" and the results should look like this.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id14731715486219171333669124" IssueInstant="2020-07-15T13:46:46.871Z" Version="2.0"
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer>
    <saml2:Subject>
        <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">userName</saml2:NameID>
        <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData NotOnOrAfter="2020-07-15T13:51:47.173Z" Recipient="https://app.contrastsecurity.com/Contrast//saml/SSO"/>
        </saml2:SubjectConfirmation>
    </saml2:Subject>
    <saml2:Conditions NotBefore="2020-07-15T13:41:47.173Z" NotOnOrAfter="2020-07-15T13:51:47.173Z">
        <saml2:AudienceRestriction>
            <saml2:Audience>https://app.contrastsecurity.com/Contrast//saml/metadata</saml2:Audience>
        </saml2:AudienceRestriction>
    </saml2:Conditions>
    <saml2:AuthnStatement AuthnInstant="2020-07-15T13:46:46.871Z">
        <saml2:AuthnContext>
            <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
        </saml2:AuthnContext>
    </saml2:AuthnStatement>
    <saml2:AttributeStatement>
        <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.lastName
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.firstName
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="contrast_groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">GroupName Match Starts with "contrast" (ignores case)
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
</saml2:Assertion>

6) Click next and finish the configuration to save it.

 

Turn on group mappings in Contrast SSO settings

To finalize the setup and enable the mappings for newly on-boarded users proceed to the Contrast UI.

1) Under Organizational Settings --> Single Sign-On

2) Select Edit and check off "Enable user provisioning" and "Add users to their Contrast groups upon SSO login".   Additionally you can create a no access group for users on-boarded to Contrast but containing no group affiliations in Okta. 

(example)

mceclip4.png

3) Save the settings.

The mappings are complete at this point and newly on-boarded users should automatically be provisioned to the groups associations within Okta. 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request