Okta SSO

Overview

Oort’s platform can leverage your Okta instance for authentication into the Oort console. This allows you to fully manage administrator and role-based access (RBAC) to the Oort Dashboard. Okta integration with Oort is set up using OpenID Connect (OIDC.)

Okta Integration Network

In order to enable SSO using the Okta Integration Network (OIN), please see these instructions.

Role-based Access Controls (RBAC)

For more information on RBAC functionality within the Oort platform, please see this article.

RBAC configuration is not required for Okta SSO. It is optional, but this article includes instructions on the Okta configuration to support it.

Okta Integration

Okta SSO integration will be set up with an OpenID Connect style application. The application will be configured in Okta and then assigned to users in the Okta directory.

Permission requirements for setting up Oort Dashboard SSO integration with Okta

To add the necessary configuration in Okta, you need to be one of the following:

• Super Administrator

• Organization Administrator

• Application Administrator

High Level Setup Steps

These are the steps you need to go through to set up your SSO auth between Okta and CII.

1. Add OIDC web application in Okta. The callback URL will be specific to the deployment of your CII tenant: US production tenants: https://login.oort.io/login/callback EU production tenants: ​https://login.eu.oort.io/login/callback AU production tenants: ​ https://login.au.oort.io/login/callback JP production tenants: ​ https://login.jp.oort.io/login/callback UK production tenants: ​ https://login.uk.oort.io/login/callback Canada production tenants: ​ https://login.ca.oort.io/login/callback Singapore production tenants: ​ https://login.sg.oort.io/login/callback

2. Add the Groups claim configuration to the OIDC Token in the app you created, in order to support RBAC functionality (optional)

3. Enter the ClientID, Client Secret, and Okta tenant OIDC discovery URL to the Duo admin panel configuration (step 3) for your CII tenant under the Duo Monitoring section

4. Assign application to users

5. Create an Okta bookmark app for your users

Add Application to Okta

1. Go to Applications -> Applications, and click on Create App Integration.

2. Please fill in the new app integration wizard as follows:

   1. Sign-in Method - OIDC - OpenID Connect

   2. Application Type - Web Application

   3. Click Next

3. On the New Web App Integration page, complete the following:

   1. App integration name = CII Dashboard (or desired app name)

   2. Optionally, you can upload a logo. Feel free to use this one:

1. Grant type = Authorization Code

   1. Sign-in redirect URIs are dependent on the CII environment in which your tenant resides. Ask your Duo representative if you're unsure which one to use. US production tenants: https://login.oort.io/login/callback EU production tenants: ​https://login.eu.oort.io/login/callback AU production tenants: ​ https://login.au.oort.io/login/callback JP production tenants: ​ https://login.jp.oort.io/login/callback UK production tenants: ​ https://login.uk.oort.io/login/callback Canada production tenants: ​ https://login.ca.oort.io/login/callback Singapore production tenants: ​ https://login.sg.oort.io/login/callback

2. Sign-out redirect URIs = can be any URL desired, such as the Okta portal or your company portal

3. Assignments - add users or groups that will have access to the application here. Alternatively, if intending to use RBAC, then create groups for each role (admin, help desk, read-only) as outlined in the RBAC article.

4. Click Save

Remediation Actions and RBAC Configuration

To support RBAC and associated Triaging Alerts and Remediation Actions, the OIDC app created in Okta must be configured to pass the Groups claim in the OIDC token, with a specific filter.

First, make sure that you have created the groups in Okta (or on-prem AD, if sync'ing from on-prem AD) that will map to the roles available in Oort:

• Oort full admin

• Oort Help desk / Support

• Oort Read only

NOTE: If using the Groups claim filter as shown below (contains "Oort"), then make sure the group names contain the required string. The token returned by Okta must contain less than 40 groups or it will be rejected.

1. From the Sign On tab in the application, click Edit in the OpenID Connect ID Token section

2. Add a Groups claim filter as shown below, such at the group name contains Oort

3. Click Save

Provide ClientID and Client Secret to Oort

Next, you will provide the Client ID and Client secret to Oort.

You will now be on the configured application screen. On this screen, you will provide the Client ID and Client secret to Oort for setup in Oort’s backend.

• Client ID

• Client secret

• Okta Issuer URL - this will be in the format of https://{yourOktaOrg}/.well-known/openid-configuration. Oort does not require a custom Authorization server, unless one is required on the customer Okta tenant for some reason. See this Okta article for more information.

Assign application to users

If you did not assign the Oort Dashboard app to users during the app setup process, please assign the Oort Dashboard app to the appropriate users.

Assign app to user:

1. Go to Directory...People

2. Click on Username that you would like to assign the app to

3. Click on Assign Applications

4. Select the Oort Dashboard and click Done

Add an Okta Bookmark App for Your Users

Oort strongly recommends creating a corresponding bookmark app in Okta for your Oort users to have quick access to the Oort console from their Okta dashboard. Please see instructions here.

The Oort Customer Success or Support team will provide you with a specific URL for your tenant and SSO connection string. This will have the form of -

• Production: https://dashboard.oort.io/go?org=\[tenantUID]&connection=\[connectionString]