Okta SSO
Introduction
This document provides detailed steps on Amorphic Data (Amorphic) Platform - OKTA integration. Amorphic simplifies analytics for all users and teams by orchestrating and automating analytic pipelines & workflows across AWS services, infrastructure and analytic tools and platforms.
Okta is an enterprise grade identity management service. With Okta IT can manage access across any application, person or device. Whether the people are employees, partners or customers or the applications are in the cloud, on premises or on a mobile device. Okta "integrates" applications into its service for us, and we simply deploy these pre-integrated applications to our users as necessary. We can authenticate these users against our own user store (e.g. AWS Cognito User Pools, Active Directory or LDAP) or we can use Okta as the user store. In Amorphic Data Cloud, Users/API calls get authenticated using Cognito. Amazon Cognito User Pools allow sign-in through a third party (federation), including through a SAML IdP such as Okta. Here we use Okta as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool.
Pre-requisites for Okta integration
Before we proceed with the process of Okta integration, we need the following pre-requisites:
- OKTA developer account — https://developer.okta.com/signup/
- Amorphic Application Deployed with Identity Provider option enabled
Steps to register Amorphic app with Okta
- Create Okta Application with SSO enabled
- Get App Federation Metadata Url & Login URL
- Update Amorphic with App Federation Metadata Url & Login URL in CMP
Create Okta Application with SSO enabled
Login into a newly created OKTA developer account or an existing account.
After login, from console choose Applications from left side and click on Create App Integration
- Select SAML 2.0 in Create a new app integration and click next:
- In general settings section enter the "App name" and click "Next" as shown below:
- In Configure SAML section:
Enter the "Single Sign on URL".
Format of Single Sign on URL:
https://<cognito-domain>/saml2/idpresponse
Enter "Audience URI (SP Entity ID)" :
Format of Identifier Entity Id:
urn:amazon:cognito:sp:<cognito-userpool-id>
Cloudwick Support Team will provide both cognito-userpool-id
and cognito-domain
values.
- In Attribute Statements section, 3 attributes are important
- name
- username
map the Names to corresponding values as shown below:
email
to user.email
username
to user.firstName
and
name
to user.login
- Click "Next" and configure "Feedback". Click the "Finish" button.
- From the App front page, click on "Assignment" tab and assign okta users to the application just created.
- Copy the Metadata URL and SignOn URL from the App Sign On section
Update Amorphic with credentials
- In amorphic CMP (customer management portal), select IDP provider as SAML and update the values.
IDP Server URL
in cmp corresponds toSignOn URL
retrieved from OktaIDP Metadata URL
corresponds toMetadata URL
from Okta
Once the values are added, click on Update IDP Details
.
This will take around 45-60 mins to get reflected in the login page.
Frequently asked questions (FAQ)
1. Why is attribute mapping required?
a. When integrating with okta and cognito, Amorphic requires attributes such as username, name and email from okta to successfully register user.