Skip to main content
Version: v2.7 print this page

Okta SSO

Introduction

This document provides detailed steps on Amorphic Data (Amorphic) Platform - OKTA integration. Amorphic simplifies analytics for all users and teams by orchestrating and automating analytic pipelines & workflows across AWS services, infrastructure and analytic tools and platforms.

Okta is an enterprise grade identity management service. With Okta IT can manage access across any application, person or device. Okta seamlessly integrates applications into its service for us, whether these applications are used by employees, partners, or customers, and regardless of whether they are in the cloud, on-premises, or on a mobile device. We can easily deploy these pre-integrated applications to our users as needed. We can authenticate these users against our own user store (e.g. AWS Cognito User Pools, Active Directory or LDAP) or we can use Okta as the user store. In Amorphic Data Cloud, Users/API calls get authenticated using Cognito. Amazon Cognito User Pools allow sign-in through a third party (federation), including through a SAML IdP such as Okta. Here we use Okta as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool.

Amorphic username convention

Due to the variety of systems Amorphic integrates with, Amorphic requires strict rules to be enforced for its usernames. Failure to follow the required rules may lead to Amorphic users not being able to login as intended. These rules required for Amorphic are conventional rules required for AD integration from other systems, and follow best practices.

The requirement for the usernames are as follows:

  • The usernames must be unique for different users
  • Usernames are integrated with access to datasets and resources, and as such cannot change
  • Should not start with a number
  • Should be only alphanumeric, no special characters are permitted
  • Username can contain both lowercase and uppercase alphabets
  • Should have a minimum of 3 characters and should not exceed 20 characters
info

It should be noted that any and all transformations used to convert the username in the SSO provider to the Amorphic username should produce a username compliant with the Amorphic username convention specified above. For example, if you have a username like John_Doe@email.com and the transformation results in JohnDoe or JohnDoe123, this is compliant with the rules. However, if the transformation results in John_Doe or 123John, it would violate the rules (since special characters or starting with a number are not allowed). If you have such IDs, it is recommended to create a new field with an Amorphic compliant username format and use that as the Amorphic username.

Pre-requisites for Okta integration

Before we proceed with the process of Okta integration, we need the following pre-requisites:

  1. OKTA developer account — https://developer.okta.com/signup/
  2. Amorphic Application Deployed with Identity Provider option enabled

Steps to register Amorphic app with Okta

  • Create Okta Application with SSO enabled
  • Get App Federation Metadata Url & Login URL
  • Update Amorphic with App Federation Metadata Url & Login URL in CMP

Create Okta Application with SSO enabled

  • Login into a newly created OKTA developer account or an existing account.

  • After login, from console choose Applications from left side and click on Create App Integration

image

  • Select SAML 2.0 in Create a new app integration and click next:

image

  • In general settings section enter the "App name" and click "Next" as shown below:

image

  • In Configure SAML section:
  1. Enter the "Single Sign on URL".

    Format of Single Sign on URL: https://<cognito-domain>/saml2/idpresponse

  2. Enter "Audience URI (SP Entity ID)" :

    Format of Identifier Entity Id: urn:amazon:cognito:sp:<cognito-userpool-id>

Cloudwick Support Team will provide both cognito-userpool-id and cognito-domain values.

image

  1. In Attribute Statements section, 3 attributes are important
  • email: The email attribute is mapped to user.email, ensuring that users have a valid email address associated with their account for authentication and communication, streamlining the login process.
  • name: The name attribute is mapped to user.login, providing a clear and recognizable identifier for users within the Amorphic platform, enhancing user experience and support.
  • username: The username is mapped to user.firstName from Okta, transformed to ensure compliance with Amorphic's username conventions, which require uniqueness and restrict special characters and leading numbers.

Map the Names to corresponding values as shown below:

email to user.email

username to user.firstName and

name to user.login

info

It is very important to note that the mappings, once created and users are logged in, should not be modified later on as that may introduce issues downstream.

image

  1. Click "Next" and configure "Feedback". Click the "Finish" button.

image

  1. From the App front page, click on "Assignment" tab and assign okta users to the application just created.

image

  1. Copy the Metadata URL and SignOn URL from the App Sign On section

image

Update Amorphic with credentials

  1. In Amorphic CMP (customer management portal), select IDP provider as SAML and update the values.
  • IDP Server URL in cmp corresponds to SignOn URL retrieved from Okta
  • IDP Metadata URL corresponds to Metadata URL from Okta

Once the values are added, click on Update IDP Details. This will take around 45-60 mins to get reflected in the login page.

image

Frequently asked questions (FAQ)

1. Why is attribute mapping required?

a. When integrating with okta and cognito, Amorphic requires attributes such as username, name and email from okta to successfully register user.

2. What happens if any configuration changes at Identity Provider end?

a. When Identity Provider configuration like Certificate, etc changes, Cloudwick support team must re-import the saml metadata file in AWS Cognito Console.