Automating user management (IdP)
Last updated 2023-06-09
An identity provider (IdP) is a system that stores and manages users' digital identities. We support automated user management through Okta.
Provisioning users via Okta enables you to automatically synchronize user access to your sites and their specific permission levels (also know as roles) for those sites. Specifically, you can:
- Push new users. New users created through Okta can be created in the Next-Gen WAF.
- Push profile updates. Updates made to the user's profile through Okta can be pushed to the Next-Gen WAF.
- Push user deactivation and reactivation. Deactivating the user or disabling the user's access to the application through Okta will delete the user in the third party application. Reactivating the user in Okta will recreate the user.
When using Okta as your IdP, keep the following things in mind:
- A user that is provisioned by Okta can only be modified or deleted inside of Okta.
- The Next-Gen WAF only accepts email addresses with letters that are lowercase. Email addresses with uppercase letters will result in erroneous behavior.
- If an existing user has the same email address as a user being provisioned within Okta, the accounts will be consolidated. Users won’t have to be re-provisioned upon setup, but the new group assignments will override existing role and permissions.
Before configuring the IdP, complete the following prerequisites:
- In your Next-Gen WAF account, enable single sign-on to use Okta as your SSO provider.
- In Okta, create an integration with Next-Gen WAF if you do not already have one. Follow the instructions listed in the Okta application, which provides specific configuration information.
- Using our API, create an API Access Token in the Next-Gen WAF and store it in a secure location for use later in this guide.
To configure automated user management through Okta, follow these steps.
On the Provisioning tab of the Signal Sciences Okta application, enable provisioning by entering the following information:
SCIM connector base URL: Enter
<corpname>is the “name” of your Corp.
<corpname>is present in the address of your Next-Gen WAF console, such as
<corpname>can also be retrieved from the List Corps API endpoint.
Unique identifier field for users: Select Email.
Supported provisioning actions: Select Push New Users and Push Profile Updates.
Authentication Mode: Select HTTP Header.
Authorization: Generate a Bearer Token from the API Access Token you generated earlier. The Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated.
An example command for creating a Bearer Token in bash:$ echo -n "firstname.lastname@example.org:c9e4bbc5-a5c4-19d3-b31f-691d8b2139fe" | base64
Confirm your connection was configured correctly by clicking Test Connector Configuration. If everything is configured correctly, you will see "Signal Sciences was verified successfully!":
Click Save to save this configuration and proceed.
After the settings are saved, select Enable for the following under Provisioning to App:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save to save these settings and proceed.
After enabling provisioning, you may see a message that unmapped attributes exist on the application. This will not prevent provisioning; however, if you wish to map Next-Gen WAF attributes to your base Okta user profile, you may do so by mapping the following attributes:
userTypeshould be mapped onto a string attribute that will represent the user's
role. The value of this must be a valid
entitlementsshould be mapped onto a string array attribute that will represent the user's
sites. This should be set to a string array representing the shortnames of sites the user should have access to, such as
The following instructions apply to assigning groups, though users will follow a nearly identical process.
- In the Signal Sciences Okta application, click Assignments.
- From the Assign menu, select Assign to Groups.
- Select a group of users to provision. A window appears requesting additional attributes.
- Select the Role for the assigned group. This can be one of owner, admin, user, or observer.
- Click Add Another to add a site. This is the “short name” of the site that appears in your Site settings.
- Click Save and Go Back.
User management includes both updates to attributes and user deletion.
Updates to the group and user attributes will be synchronized, including:
- The user’s real name
- The user’s assigned role
- The user’s assigned sites
Next-Gen WAF does not support updating the user’s email address, as it is the primary identifier for the user.
Next-Gen WAF users are removed via provisioning in a few ways:
- Remove the user from a group assigned to the Next-Gen WAF application
- Directly remove the user from the Next-Gen WAF application if they are directly assigned
- Deactivating the user in Okta
The user will be re-created if the user is reactivated or re-assigned to the Signal Sciences Okta application.
SCIM Provisioning was added to the Okta application in December 2020. If you have a Signal Sciences application in Okta that was created before December 2020, you may need to create a new Signal Sciences application in Okta in order to use SCIM provisioning.
If you have questions or difficulties with the Okta integration, reach out to our Support team for assistance.