The process requires admin access to both Venn and Okta.
In order to change the identity provider, a Venn engineer will need to assist
with preparing your Venn instance for the change.
Currently, Venn only supports uni-directional syncing: Okta-> Venn, which means that users and groups should be created, modified, and deleted in Okta in order for the changes to appear in Venn.
Bi-directional syncing, creating/ modifying/ deleting users in Venn to trigger changes in Okta is NOT currently supported.
To set up Okta AD as your IDP:
- Login to Okta with an account that has administrator permissions.
- Navigate to Menu > Applications > Applications.
- Click Create app integration to configure manually.
- Select SAML 2.0 as sign-in method and click Next.
- On the next page, enter “Venn” in the App name field, upload the file found here in the App logo (optional) field and click Next.
- On the following page, enter the following information: (please replace {shortname} in the below URLs with the short company name for your Venn environment):
- Single sign on URL: https://{shortname}.venn.com/sso/okta
- Audience URI (SP Entity ID): https://{shortname}.venn.com/sso/okta
- Select I’m a software vendor. I’d like to integrate my app with Okta and click Finish. (You can safely disregard the button to Submit your app for review.)
- Select the General tab for the application.
- Click Edit for App Settings and select Enable SCIM provisioning and then click Save. (This will add a Provisioning tab to the Okta application to be used later.)
Venn will perform Steps 10-12 and provide the resulting token to enter in Step 13. The instructions are provided for clarity and future configuration, as needed.
Please skip to Step 13.
- Go to Venn > Company admin > Website and add Okta webapp as IDP, rename the website to “Okta as IdP”
- Click Okta as IdP and click Edit Identity Provider… for Okta
- Click Generate token and copy it
- Navigate to the Provisioning tab for the Venn application.
- Click Edit for SCIM Connection. Configure with the information below.
- SCIM connector base URL: https://login.venn.com/scim
- Unique identifier field for users: userName
- Check the box to enable Push new users
- Check the box to enable Push Profile Updates
- Authentication Mode: HTTP Header
- Paste the token given by Venn personnel (from Step 12) in the Authorization field
- Click Test Connector Configuration
- Click Save.
- Keep the following attributes mapped under the Provisioning tab.
- Username
- Given name
- Family name
- Middle name
- Primary email type
- Primary phone
- Primary phone type
- All other Attributes can be removed from the mapping
.
userName Configured in Sign On settings givenName user.firstName familyName user.lastName middleName user.middleName email user.email emailType (user.email != null && user.email != '') ? 'work' : '' primaryPhone user.primaryPhone primaryPhoneType (user.primaryPhone != null && user.primaryPhone != '') ? 'work' : ''
- All other Attributes can be removed from the mapping
- Navigate to the Provisioning tab and click Edit.
- In the Provisioning to App section, Enable the following settings, as per the screenshot below:
- Create users
- Update Users Attributes
- Deactivate users
- Click Save.
- Go to Sign On tab for the Venn app.
- Click View Setup Instructions.
- Copy all IdP metadata and share with Venn personnel.
Venn personnel will import your metadata and configure the app on the Venn side appropriately. The instructions in Steps 24-25 are provided for clarity and future configuration, as needed. - Go to Venn > Company admin > All Websites, select Okta and click Edit Identity Provider…
- Paste IDP metadata from Step 23 to IdP metadata field and click Save.
