In addition to SAML SSO support for authentication, Signal Sciences also supports automated user management through Okta.
Features
The following features are supported:
- Push New Users. New users created through Okta can be created in Signal Sciences.
- Push Profile Updates. Updates made to the user’s profile through Okta can be pushed to Signal Sciences.
- Push User Deactivation and Reactivation. Deactivating the user or disabling the user’s access to the application through Okta will delete the user in the third party application. Reactivating the user in Okta will recreate the user.
Provisioning enables you to automatically synchronize user access to Signal Sciences sites as well as their role (such as an Owner or Admin).
Note: A user that is provisioned by Okta cannot be modified or deleted in Signal Sciences. All changes must happen inside of Okta.
Requirements and Preparation
- In your Signal Sciences account, enable Single Sign On to use Okta as your SSO provider.
- If you do not have one already, create a Signal Sciences application in Okta. Follow the instructions listed in the Okta Signal Sciences application, which provide specific configuration information.
- Create an API Access Token in Signal Sciences and store it in a secure location for use later in this guide.
Step-by-Step Configuration Instructions
Enter configuration information
In the Provisioning tab of the Signal Sciences Okta application, enable provisioning. Enter the following information:
- SCIM connector base URL:
Enter
https://dashboard.signalsciences.net/api/v0/corps/<corpname>/scim/v2where<corpname>is the “name” of your Corp.- Your
<corpname>is present in the address of your Signal Sciences console, such ashttps://dashboard.signalsciences.net/corps/<corpname>/overview. - Your
<corpname>can also be retrieved from the List Corps API endpoint.
- Your
- Unique identifier field for users: Select Email.
- Supported provisioning actions: Select Push New Users and Push Profile Updates.
- Authentication Mode: Select HTTP Header.
- Authorization: Generate a Bearer Token from the API Access Token you generated earlier. The Bearer Token is created by base64 encoding a string composed of the email address associated with your user, a colon, and the API Access Token you generated.
-
An example command for creating a Bearer Token in bash:
echo -n "user@example.com:c9e4bbc5-a5c4-19d3-b31f-691d8b2139fe" | base64 -
An example command for creating a Bearer Token in JavaScript:
btoa("<signal_sciences_email>:<signal_sciences_access_token>") = "YW5keUBleGFtcGxlY29ycC5jb206ZXhhbXBsZXRva2Vu"
-
Test configuration
Confirm your connection was configured correctly by clicking Test Connector Configuration. If everything is configured correctly, you will see “Signal Sciences was verified successfully!”:
Click Save to save this configuration and proceed.
Enable provisioning features
After the settings are saved, select Enable for the following under Provisioning to App:
- Create Users
- Update User Attributes
- Deactivate Users
Click Save to save these settings and proceed.
After enabling provisioning, you may see a message that unmapped attributes exist on the application. This will not prevent provisioning; however, if you wish to map Signal Sciences attributes to your base Okta user profile, you may do so by mapping the following attributes:
userTypeshould be mapped onto a string attribute that will represent the user’srole. The value of this must be a validrole:owner,admin,user, orobserver.entitlementsshould be mapped onto a string array attribute that will represent the user’ssites. This should be set to a string array representing the shortnames of sites the user should have access to, such aswww.example.com.
Assign a Group or User to the Application
The following instructions apply to assigning groups, though users will follow a nearly identical process.
- In the Signal Sciences Okta application, click on Assignments. The assignments menu page appears.
- From the Assign menu, select Assign to Groups. The group assignment menu page appears.
- Select a group of users to provision to Signal Sciences. A window appears requesting additional attributes.
- Select the Role for the assigned group. This can be one of owner, admin, user, or observer.
- Click Add Another to add a site. This is the “short name” of the site that appears in your Site settings.
- Click Save and Go Back
Note: Signal Sciences only accepts email addresses with letters that are lowercase. Email addresses with uppercase letters will result in erroneous behavior.
What happens to existing (SAML) users when Okta user provisioning is set up for the first time?
If an existing user has the same email address as a user being provisioned within Okta, the accounts will be consolidated. Users won’t have to be re-provisioned upon setup, but the new group assignments will override existing role and permissions.
User Management
User Updates
Updates to the group/user attributes will be synchronized to Signal Sciences including:
- The user’s real name
- The user’s assigned Signal Sciences role
- The user’s assigned Signal Sciences sites
Signal Sciences does not support updating the user’s email address, as it is the primary identifier for the user.
User Deletion
Signal Sciences users are removed via provisioning in a few ways:
- Remove the user from a group assigned to the Signal Sciences application
- Directly remove the user from the Signal Sciences application if they are directly assigned
- Deactivating the user in Okta
The user will be re-created if the user is reactivated or re-assigned to the Signal Sciences Okta application.
Troubleshooting
SCIM Provisioning was added to the Okta application in December 2020. If you have a Signal Sciences application in Okta that was created before December 2020, you may need to create a new Signal Sciences application in Okta in order to use SCIM provisioning.
If you have questions or difficulties with the Okta integration, reach out to our Support team for assistance.