Okta SSO
Introduction
This document provides detailed steps on Amorphic Data (Amorphic) Platform - OKTA integration. Amorphic simplifies analytics for all users and teams by orchestrating and automating analytic pipelines & workflows across AWS services, infrastructure and analytic tools and platforms.
Okta is an enterprise grade identity management service. With Okta IT can manage access across any application, person or device. Okta seamlessly integrates applications into its service for us, whether these applications are used by employees, partners, or customers, and regardless of whether they are in the cloud, on-premises, or on a mobile device. We can easily deploy these pre-integrated applications to our users as needed. We can authenticate these users against our own user store (e.g. AWS Cognito User Pools, Active Directory or LDAP) or we can use Okta as the user store. In Amorphic Data Cloud, Users/API calls get authenticated using Cognito. Amazon Cognito User Pools allow sign-in through a third party (federation), including through a SAML IdP such as Okta. Here we use Okta as a Security Assertion Markup Language 2.0 (SAML 2.0) identity provider (IdP) with an Amazon Cognito user pool.
Amorphic username convention
Due to the variety of systems Amorphic integrates with, Amorphic requires strict rules to be enforced for its usernames. Failure to follow the required rules may lead to Amorphic users not being able to login as intended. These rules required for Amorphic are conventional rules required for AD integration from other systems, and follow best practices.
The requirement for the usernames are as follows:
- The usernames must be unique for different users
- Usernames are integrated with access to datasets and resources, and as such cannot change
- Should only start with a letter in lowercase, cannot be started with a number
- Should be only alphanumeric, no special characters are permitted
- Should use only lowercase alphabets
- Should have a minimum of 3 characters and should not exceed 20 characters
It should be noted that any and all transformations used to convert the username in the SSO provider to the Amorphic username should produce a username compliant with the Amorphic username convention specified above. For eg; if you have John_Doe@email.com and the transformation gives it as John or John_Doe, it is not compliant as it violates the first and last rules, and it would be best to be something like johndoe. If you have such IDs, it is recommended to create new field with an Amorphic compliant username format, and to use that as an Amoprhic username.
Pre-requisites for Okta integration
Before we proceed with the process of Okta integration, we need the following pre-requisites:
- OKTA developer account — https://developer.okta.com/signup/
- Amorphic Application Deployed with Identity Provider option enabled
Steps to register Amorphic app with Okta
- Create Okta Application with SSO enabled
- Get App Federation Metadata Url & Login URL
- Update Amorphic with App Federation Metadata Url & Login URL in CMP
Create Okta Application with SSO enabled
Login into a newly created OKTA developer account or an existing account.
After login, from console choose Applications from left side and click on Create App Integration
- Select SAML 2.0 in Create a new app integration and click next:
- In general settings section enter the "App name" and click "Next" as shown below:
- In Configure SAML section:
Enter the "Single Sign on URL".
Format of Single Sign on URL:
https://<cognito-domain>/saml2/idpresponseEnter "Audience URI (SP Entity ID)" :
Format of Identifier Entity Id:
urn:amazon:cognito:sp:<cognito-userpool-id>
Cloudwick Support Team will provide both cognito-userpool-id and cognito-domain values.
- In Attribute Statements section, 3 attributes are important
- name
- username
Map the Names to corresponding values as shown below:
email to user.email
username to user.firstName and
name to user.login
It is very important to note that the mappings, once created and users are logged in, should not be modified later on as that may introduce issues downstream.
- Click "Next" and configure "Feedback". Click the "Finish" button.
- From the App front page, click on "Assignment" tab and assign okta users to the application just created.
- Copy the Metadata URL and SignOn URL from the App Sign On section
Update Amorphic with credentials
- In Amorphic CMP (customer management portal), select IDP provider as SAML and update the values.
IDP Server URLin cmp corresponds toSignOn URLretrieved from OktaIDP Metadata URLcorresponds toMetadata URLfrom Okta
Once the values are added, click on Update IDP Details.
This will take around 45-60 mins to get reflected in the login page.
Frequently asked questions (FAQ)
1. Why is attribute mapping required?
a. When integrating with okta and cognito, Amorphic requires attributes such as username, name and email from okta to successfully register user.
2. What happens if any configuration changes at Identity Provider end?
a. When Identity Provider configuration like Certificate, etc changes, Cloudwick support team must re-import the saml metadata file in AWS Cognito Console.