This article will run you through how to set up Single Sign-On with Okta and Gnatta, including how to pass over the permission grouping of users from Okta to Gnatta.
Create an Application In Okta
- First, go to Applications>Applications and select Add Application.
- You’ll then be taken to the App directory. Select the option to Create New App.
- Select Web as your platform and OpenID Connect as the Sign on method as shown below.
- Next, you can then add a name, logo, and login redirect URIs. As you haven’t yet created the Gnatta SSO provider, please enter a dummy URI for now. How you can update that is in the next section, but we need more information first.
- You will also need to ensure that the following Grant types are selected.
Create an SSO Provider in Gnatta
- When logged into your Gnatta domain, open the Configuration menu and click Authentication.
- On the SSO Providers section, select the Add button in the header.
- To create your provider in Gnatta you will need details from the Application you’ve just created in Okta. In Okta navigate to your application and the General tab.
- In Gnatta, give the provider a Display Name.
- To find the Authority URL required, go to General Settings on the General tab in Okta and navigate to the Okta domain field, as below.
- Next, you need your Client ID and Client Secret, these are found under the Client Credentials heading on the same tab.
- Once these are all added to your SSO provider in Gnatta, select the Save button in the header.
- The SSO provider should appear in your provider list. Please select your newly created provider.
- Once loaded you will now be able to copy the Redirect URI to update Okta.
- In Okta (on the same tab as before), under General Settings select the Edit Button and replace the Login Redirect URI added on creation.
Create Groups in Okta
- In Okta, go to Directory and then Groups.
- You will want to create groups for each Gnatta permission as in the image below. You can find more information about permissions here.
- When creating the groups go into each group and ensure they are assigned to your application.
- Permissions that have spaces e.g Workflow Admin will need to be added as WORKFLOW_ADMIN (Note that Permissions are also case sensitive)
Create Users in Okta
- In Okta, go to Directory and then People
- Select Add Person and start to add the users you wish
- On initial creation, you can set the users groups here, remember this will be used to determine their access in Gnatta.
Set up the passing of the Group Claim in Okta
- Navigate back to your Application in Okta.
- Select the tab Sign On.
- Then you want to Edit the OpenID Connect ID Token to be like the below (in regards to the Groups claim type and filter).
- The regex in the image below is .*
- Finally, Save the changes .
Advanced setting on SSO provider in Gnatta
- Go to Gnatta and re-open to the SSO provider you set up earlier.
- Select the three-dot menu in the header or your provider and select Show Advanced.
- A new field will appear (Roles Claim) and complete this field as shown below and then Save the changes.
Users will now be able to log in from the login page of Gnatta via your new Okta provider and their permissions in Gnatta will be mapped to the groups you have them a part of in Okta.