User GuideDocumentationAPI DocumentationReference

SSO Okta

Locktera SSO Integration with OktaCopied!

This guide provides step-by-step instructions for integrating Locktera with Okta to enable Single Sign-On (SSO) and automated user provisioning using the SCIM (System for Cross-domain Identity Management) protocol. This integration allows organizations to synchronize and manage user accounts in Locktera directly through Okta, simplifying access management.

Table of Contents

  1. Prerequisites

  2. Integration Overview

  3. Step-by-Step Integration Process

    1. Step 1: Add Locktera as an Application in Okta

    2. Step 2: Configure SSO for Locktera

    3. Step 3: Enable SCIM Provisioning in Locktera

    4. Step 4: Configure SCIM Provisioning in Okta

  4. Testing the Integration

  5. Troubleshooting

  6. FAQs

Prerequisites

Before starting the integration, ensure the following prerequisites are met:

  • You have an Okta administrator account with access to manage applications and provisioning.

  • A Locktera account with administrative access to configure integrations.

  • SCIM provisioning is available in your Locktera subscription.

  • Your Okta environment has Universal Directory and SCIM provisioning enabled.

Integration Overview

This integration enables two key functionalities:

  1. Single Sign-On (SSO): Users can securely authenticate to Locktera using their Okta credentials.

  2. User Provisioning (SCIM): Okta can automatically provision, update, and deactivate users in Locktera using the SCIM protocol, ensuring that user data is kept in sync across systems.

Step-by-Step Integration Process

Step 1: Add Locktera as an Application in Okta

  1. Log in to the Okta Admin Console.

  2. In the Applications section, click Applications from the sidebar and then click Browse App Catalog.

  3. Search for Locktera in the Okta application catalog.

  4. If Locktera is available in the catalog, select it. Otherwise, click Create App Integration to set it up manually.

  5. For a manual setup, choose SAML 2.0 as the Sign-On method.

  6. Click Next to begin configuring SSO for Locktera.

Step 2: Configure SSO for Locktera

  1. In the General Settings for the application, provide the following information:

    • App name: Name the app (e.g., "Locktera").

    • App logo: (Optional) Upload a Locktera logo for easier identification.

  2. In the SAML Settings, configure the following fields based on Locktera’s SSO requirements:

    • Single Sign-On URL: Enter the URL provided by Locktera for SAML login (e.g., https://locktera.com/saml/acs).

    • Audience URI (SP Entity ID): Use the Entity ID provided by Locktera (e.g., https://locktera.com/saml/metadata).

    • Name ID Format: Set to EmailAddress or Unspecified, depending on Locktera’s SAML configuration.

    • Application username: Set to Email, Okta username, or Custom, based on how Locktera identifies users.

  3. In the Attribute Statements, map user attributes from Okta to Locktera. For example:

    • NameID → user.email

    • firstName → user.firstName

    • lastName → user.lastName

  4. Download the Okta Identity Provider Metadata XML. You will need to upload this in Locktera’s admin portal later.

  5. Complete the configuration and click Finish.

Step 3: Enable SCIM Provisioning in Locktera

  1. Log in to the Locktera Admin Portal.

  2. Navigate to Settings > Integrations and locate the SCIM provisioning section.

  3. Enable SCIM provisioning and obtain the following details:

    • SCIM Base URL: The endpoint where Locktera accepts SCIM requests (e.g., https://locktera.com/scim/v2).

    • SCIM Bearer Token: The authentication token used to allow Okta to communicate with Locktera.

  4. Save these details for configuring Okta provisioning.

Step 4: Configure SCIM Provisioning in Okta

  1. In the Okta Admin Console, go to the Locktera application that you just created.

  2. Navigate to the Provisioning tab and click Configure API Integration.

  3. Enable the SCIM Provisioning by selecting Enable API Integration.

  4. Enter the SCIM Base URL and Bearer Token obtained from Locktera.

  5. Click Test API Credentials to ensure Okta can successfully connect to Locktera.

  6. Once the connection is verified, enable the following features (based on your organization's needs):

    • Create Users: Automatically create users in Locktera when they are assigned to the app in Okta.

    • Update User Attributes: Synchronize any updates to user attributes from Okta to Locktera.

    • Deactivate Users: Automatically disable or remove users from Locktera when they are unassigned in Okta.

  7. Under Mappings, review and customize the default mappings for user attributes. You can map Okta attributes like email, firstName, lastName, etc., to the corresponding SCIM attributes in Locktera.

  8. Save the configuration and activate Provisioning.

Testing the Integration

Testing SSO

  1. Assign a user or group to the Locktera app in Okta.

  2. In the Okta dashboard, sign in as the assigned user.

  3. Click the Locktera app icon in the Okta My Apps dashboard.

  4. Verify that the user is seamlessly signed in to Locktera without needing to re-enter credentials.

Testing SCIM Provisioning

  1. In the Okta Admin Console, assign additional users or groups to the Locktera app.

  2. Verify that the users are automatically created in the Locktera admin portal.

  3. Update a user’s attributes in Okta (e.g., name or email) and confirm that the changes are reflected in Locktera.

  4. Unassign a user from the Locktera app in Okta, and verify that the user is deactivated or removed from Locktera.

Troubleshooting

  • SSO Errors: If users are unable to log in, double-check the SAML configuration in both Okta and Locktera. Ensure that the SSO URL, Audience URI, and NameID format match between the two platforms.

  • SCIM Provisioning Issues: If user provisioning fails, verify that the SCIM Base URL and Bearer Token are correct. Check the logs in both Okta and Locktera for any errors.

  • User Attribute Mismatch: Ensure that the attribute mappings in the Provisioning section align with Locktera’s user model. Missing or incorrect mappings can cause synchronization issues.

FAQs

Q: Does Locktera support group-based provisioning via Okta?
A: Yes, Locktera supports group-based provisioning. You can assign Okta groups to Locktera roles or groups, and these will be synced automatically.

Q: How frequently does Okta synchronize user data with Locktera?
A: Okta’s provisioning feature runs automatically every 40 minutes. You can also initiate a manual sync if needed.

Q: Can I customize the SCIM attributes synchronized to Locktera?
A: Yes, you can customize attribute mappings in Okta's Provisioning settings. You can map Okta attributes like username, firstName, lastName, etc., to Locktera's SCIM attributes.

Conclusion

By integrating Locktera with Okta, you can streamline user authentication and provisioning, reducing administrative overhead and improving security. SSO provides a seamless login experience for users, while SCIM provisioning ensures that user data is always up-to-date across platforms.