Okta integration in Woody allows:
• Woody, to import Okta groups, to assign Woody permissions and profiles to it.
• Users to logon to Woody using their Okta accounts
• Woody to get groups to which a user belongs



TABLE OF CONTENTS



1. Generate Woody URLs and ID for SAML2 provider


  1. Open Woody administration pages


  2. Go to « Users » tab

    then go to “Saml2” in “External providers” section



  3. Enter a provider name, then click on

  4. Keep the new window, opened, we’ll need this information to configure Okta application.


    You can copy values, by clicking on it (Only in Google Chrome)



2. Create an application in Okta


  1. In your Okta dashborad, select "Applications" and clic "Add application" button to create a new application


  2. In “Add Application” page, click on "Create New App"



  3. In “Create a New Application Integration” window, select:
    • Platform: Web
    • Sign on method: SAML 2.0

    Then click on "Create"

  4. In “Create SAML Integration”
    Step 1. General Settings

    • Enter your App name
    • Select a logo for it (optional)
    • Click on "Next"




  5. In “Create SAML Integration”
    Step 2. Configure SAML

    • Copy the “assertionConsumerService” URL, from Woody configuration page to Okta “Single sign on URL” field
    • Copy the « entityID » URL, from Woody configuration page to Okta “Audience URI (SP Entity ID)” field
    • Select the value value: “EmailAddress” under “Name ID format”



    In “Attribute Statements” section: 
    • Enter Name “email” and select value “user.email” for it

    • Click "Add Another"
    • Enter Name “username” and select value for it.
    You can combine values with Okta functions, for example
        user.firstName = John
        user.lastName = Doe
        value = String.join(" ", user.firstName, user.lastName)
        result = John Doe
    More informations about it : 
    https://developer.okta.com/docs/reference/okta-expression-language/#country-code-conversion-functions
    You can also create your own attributes in Okta Profile editor


    In “
    Group Attribute Statements” section:
     • Enter name “groups” and specify filter: “Matches regex” then enter value: “ .* ” 

    This configuration “.*” allow woody to get all Okta groups of which the user is a member.
    You can change the regex value if needed
    • Click on "Next
     


  6. In « Create SAML Integration”
    Step 3. Feedback

    • Select “I'm a software vendor. I'd like to integrate my app with Okta”

    • Then you can click on"Finish"

  7. In your Okta app page :
     • Click on “Identify Provider metadata” and copy the URL

    URL should be like : https://user_12345.okta.com/app/ewk8q368c1OvFPv357/sso/saml/metadata

     


3. Configure Okta application in IN2IT

In Woody config page :

  • Enter the URL previously copied “Url auto configuration” field
  • Click on « SAVE »


The « Test » button will test groups binding.

 


4.Configure API to bind users (optional)


You can configure the Okta API, to bind user groups (from Okta) in Woody.
By doing this, you can assign different permissions and filter Woody profiles depending on Okta groups.

If you don’t, by default users will be bind to “Any” group.
That mean all users (configured in the Okta app) will be able to connect with same permissions and profiles in Woody (it can be restricted permissions and profiles).

To configure the API:


  1. In Woody config page, change the “Group listing config” from “Default” to “OKTA”
    • Enter the Endpoint.
    It’s the browser URL you use, to configure the Okta app.
    URL should be like this: https://dev-123456-admin.okta.com 


  2. In Okta console, go to API page
    Under “Security” menu, go to “API”

  3. In the “API” page, under “Tokens” tab and click on


    Enter a name for this token and click

  4. Copy the provided token.


    Be careful, it’s not possible to retrieve this token after this step.

  5. In Woody configuration, copy this Token in “API Key” field, then click save.



5. User management (Okta)

Before binding users in Woody app, you need to allow these users to use Okta app you created.

  1. In Okta console, under “Applications” click on “Applications”


  2. Select your application, click on the settings gear and select   or



  3. Find users or groups you want to give permissions to and click on button.
    • You can repeat this operation to assign different users and groups from Okta.
    • You can allow users to access the application, however from Woody you can only set permissions by groups.

  4. You can retrieve assigned users and groups by clicking on your app and going to “Assignments” tab


6. Bind users (IN2IT)

Now you can bind groups from Okta, and filter profiles and roles.


  1. In the “SAML2 providers” page, click on “ADD BINDING”




  2. Then you can select an Okta group, and choose “role” and “profile group” for it.

     Click “save”, then you can add an other group and give it different permissions.

    • If you choose « Default » for “Group listing config” you will only have “any” available.
    It means all Okta users will have same role and profiles.


    • Even with “Any” binding. Only users allowed to use the Okta app will be allowed to login to Woody. You can configure these users in step 5. Of this document.

    7. Enable Okta authentication



 

7. Enable Okta authentication


To have by default the Okta login page on Woody app.


Go on : Users > General user settings> Settings

And change the default provider to the Okta provider you created.

 

If for any reason, you want to use “internal Woody user”, you can still unlock the authentication provider with the link in lower right corner of the authentication page

Then you can choose your provider