search close

IDP Provisioning

access_time Updated Jun 20, 2021

In addition to SAML SSO support for authentication, Signal Sciences also supports automated user management through Okta.

Features

The following features are supported:

  • Push New Users
    • New users created through Okta can be created in Signal Sciences.
  • Push Profile Updates
    • Updates made to the user’s profile through Okta can be pushed to Signal Sciences.
  • Push User Deactivation and Reactivation
    • Deactivating the user or disabling the user’s access to the application through Okta will delete the user in the third party application. Reactivating the user in Okta will recreate the user.

Provisioning enables you to automatically synchronize user access to Signal Sciences sites as well as their role (such as an Owner or Admin).

Note: A user that is provisioned by Okta cannot be modified or deleted in Signal Sciences. All changes must happen inside of Okta.

Requirements and Preparation

  1. In your Signal Sciences account, enable Single Sign On to use Okta as your SSO provider.

  2. If you do not have one already, create a Signal Sciences application in Okta. Follow the instructions listed in the Okta Signal Sciences application, which provide specific configuration information.

  3. Create an API Access Token in Signal Sciences and store it in a secure location for use later in this guide.

Step­-by-­Step Configuration Instructions

Enter configuration information

In the Provisioning tab of the Signal Sciences Okta application, enable provisioning. Enter the following information:

  • SCIM connector base URL:
    • This will be https://dashboard.signalsciences.net/api/v0/corps/<corpname>/scim/v2 where <corpname> is the “name” of your Corp
    • Your <corpname> is present in the address of your Signal Sciences console, such as https://dashboard.signalsciences.net/corps/<corpname>/overview
    • Your <corpname> can also be retrieved from the List Corps API endpoint
  • Unique identifier field for users: Select “Email”
  • Supported provisioning actions: Check the boxes for “Push New Users” and “Push Profile Updates”
  • Authentication Mode: Select “HTTP Header”
  • Authorization:
    • You will need to generate a Bearer Token from the API Access Token you generated earlier
    • The Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated
      • An example command for creating a Bearer Token in bash:

        echo -n "test@user.com:c9e4bbc5-a5c4-19d3-b31f-691d8b2139fe" | base64
      • An example command for creating a Bearer Token in JavaScript:

        btoa("<signal_sciences_email>:<signal_sciences_access_token>") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
        

Test configuration

Confirm your connection was configured correctly by clicking Test Connector Configuration. If everything is configured correctly, you will see “Signal Sciences was verified successfully!":

Click the green Save button to save this configuration and proceed.

Enable provisioning features

After the settings are saved, check the following Enable checkboxes under Provisioning to App:

  • Create Users
  • Update User Attributes
  • Deactivate Users

Click the green Save to save these settings and proceed.

After enabling provisioning, you may see a message that unmapped attributes exist on the application. This will not prevent provisioning; however, if you wish to map Signal Sciences attributes to your base Okta user profile, you may do so by mapping the following attributes:

  • userType should be mapped onto a string attribute that will represent the user’s role. The value of this must be a valid role: owner, admin, user, or observer.
  • entitlements should be mapped onto a string array attribute that will represent the user’s sites. This should be set to a string array representing the shortnames of sites the user should have access to, such as www.mysite.com.

Assign a Group or User to the Application

The following instructions apply to assigning groups, though users will follow a nearly identical process.

  1. In the Signal Sciences Okta application, click on Assignments. Then click Assign > Assign to Groups
  2. Select a group of users to provision to Signal Sciences
  3. A window will appear requesting additional attributes
  4. Add the Role for the assigned group. This can be one of owner, admin, user, or observer
  5. Click Add Another to add a site. This is the “short name” of the site that appears in your Site settings.
  6. Click Save and Go Back

Note: Signal Sciences only accepts email addresses with letters that are lowercase. Email addresses with uppercase letters will result in erroneous behavior.

What happens to existing (SAML) users when Okta user provisioning is set up for the first time?

If an existing user has the same email address as aa user being provisioned within Okta, the accounts will be consolidated. Users won’t have to be re-provisioned upon setup, but the new group assignments will override existing role and permissions.

User Management

User Updates

Updates to the group/user attributes will be synchronized to Signal Sciences including:

  • The user’s real name
  • The user’s assigned Signal Sciences role
  • The user’s assigned Signal Sciences sites

Signal Sciences does not support updating the user’s email address, as it is the primary identifier for the user.

User Deletion

Signal Sciences users are removed via provisioning in a few ways:

  • Remove the user from a group assigned to the Signal Sciences application
  • Directly remove the user from the Signal Sciences application if they are directly assigned
  • Deactivating the user in Okta

The user will be re-created if the user is reactivated or re-assigned to the Signal Sciences Okta application.

Troubleshooting

If you have questions or difficulties with the Okta integration, reach out to our Support team for assistance.