Automating user management (IdP)

Last updated 2023-06-09

An identity provider (IdP) is a system that stores and manages users' digital identities. We support automated user management through Okta.

Provisioning users via Okta enables you to automatically synchronize user access to your sites and their specific permission levels (also know as roles) for those sites. Specifically, you can:

Push new users. New users created through Okta can be created in Signal Sciences.
Push profile updates. Updates made to the user's profile through Okta can be pushed to Signal Sciences.
Push user deactivation and reactivation. Deactivating the user or disabling the user's access to the application through Okta will delete the user in the third party application. Reactivating the user in Okta will recreate the user.

Limitations and considerations

When using Okta as your IdP, keep the following things in mind:

A user that is provisioned by Okta cannot be modified or deleted in Signal Sciences. All changes must happen inside of Okta.
Signal Sciences only accepts email addresses with letters that are lowercase. Email addresses with uppercase letters will result in erroneous behavior.
If an existing user has the same email address as a user being provisioned within Okta, the accounts will be consolidated. Users won’t have to be re-provisioned upon setup, but the new group assignments will override existing role and permissions.

Prerequisites

Before configuring the IdP, complete the following prerequisites:

In your Signal Sciences account, enable Single Sign-On to use Okta as your SSO provider.
In Okta, create a Signal Sciences application if you do not already have one. Follow the instructions listed in the Okta Signal Sciences application, which provide specific configuration information.
Using our API, create an API Access Token in Signal Sciences and store it in a secure location for use later in this guide.

Configuring the IdP

To configure automated user management through Okta, follow these steps.

Enter configuration information

In the Provisioning tab of the Signal Sciences Okta application, enable provisioning. Enter the following information:

SCIM connector base URL: Enter https://dashboard.signalsciences.net/api/v0/corps/<corpname>/scim/v2 where <corpname> is the “name” of your Corp.
- Your <corpname> is present in the address of your Signal Sciences console, such as https://dashboard.signalsciences.net/corps/<corpname>/overview.
- Your <corpname> can also be retrieved from the List Corps API endpoint.
Unique identifier field for users: Select Email.
Supported provisioning actions: Select Push New Users and Push Profile Updates.
Authentication Mode: Select HTTP Header.
Authorization: Generate a Bearer Token from the API Access Token you generated earlier. The Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated.
- An example command for creating a Bearer Token in bash:
```
$ echo -n "user@example.com:c9e4bbc5-a5c4-19d3-b31f-691d8b2139fe" | base64
```
- An example command for creating a Bearer Token in JavaScript:
```
btoa("<signal_sciences_email>:<signal_sciences_access_token>") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
```

Test configuration

Confirm your connection was configured correctly by clicking Test Connector Configuration. If everything is configured correctly, you will see "Signal Sciences was verified successfully!":

Click Save to save this configuration and proceed.

Enable provisioning features

After the settings are saved, select Enable for the following under Provisioning to App:

Create Users
Update User Attributes
Deactivate Users

Click Save to save these settings and proceed.

After enabling provisioning, you may see a message that unmapped attributes exist on the application. This will not prevent provisioning; however, if you wish to map Signal Sciences attributes to your base Okta user profile, you may do so by mapping the following attributes:

userType should be mapped onto a string attribute that will represent the user's role. The value of this must be a valid role: owner, admin, user, or observer.
entitlements should be mapped onto a string array attribute that will represent the user's sites. This should be set to a string array representing the shortnames of sites the user should have access to, such as www.example.com.

Assigning a group or user to the application

The following instructions apply to assigning groups, though users will follow a nearly identical process.

In the Signal Sciences Okta application, click on Assignments. The assignments menu page appears.
From the Assign menu, select Assign to Groups. The group assignment menu page appears.
Select a group of users to provision to Signal Sciences. A window appears requesting additional attributes.
Select the Role for the assigned group. This can be one of owner, admin, user, or observer.
Click Add Another to add a site. This is the “short name” of the site that appears in your Site settings.
Click Save and Go Back.

Managing users with the IdP

User management includes both updates to attributes and user deletion.

Updating users

Updates to the group/user attributes will be synchronized to Signal Sciences including:

The user’s real name
The user’s assigned Signal Sciences role
The user’s assigned Signal Sciences sites

Signal Sciences does not support updating the user’s email address, as it is the primary identifier for the user.

Deleting users

Signal Sciences users are removed via provisioning in a few ways:

Remove the user from a group assigned to the Signal Sciences application
Directly remove the user from the Signal Sciences application if they are directly assigned
Deactivating the user in Okta

The user will be re-created if the user is reactivated or re-assigned to the Signal Sciences Okta application.

Troubleshooting

SCIM Provisioning was added to the Okta application in December 2020. If you have a Signal Sciences application in Okta that was created before December 2020, you may need to create a new Signal Sciences application in Okta in order to use SCIM provisioning.

If you have questions or difficulties with the Okta integration, reach out to our Support team for assistance.

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.