This article describes integrating Okta with ShareDo for user authentication and provisioning. To integrate ShareDo with Okta, you must complete several tasks:
- Create a new app integration in Okta so that ShareDo can use Okta for authentication
- Configuring ShareDo to use Okta as an OpenID Connect (OIDC) authentication provider
- Enabling automatic user provisioning using SCIM in both Okta and ShareDo
Configuring Okta OIDC App for Login
- In Okta, go to Applications > Create App Integration.
- Select OIDC and Web Application.
- Then enter the relevant App name and URIs.
- Click Save.
- In the General tab, save the Client ID for later use.
- Then click Edit in the General Settings box.
- Change Login initiated by to Either Okta or App.
- Click Display application icon to users.
- Change Initiate login URI to the relevant URI.
A note on URI format
In Okta configuration, URIs should generally follow a standard URL format, typically starting with https://, and should be absolute URLs. Specifically, for redirect URIs (also known as reply URLs or callback URLs), they must be absolute URLs and match the expected format for the application type.
-
Absolute URLs:
Redirect URIs must be absolute URLs, meaning they should include the protocol (https://), domain, and path. -
Valid URL Format:
Ensure the URI is a valid URL that can be used by the browser to navigate to the intended location. -
Sign-in Redirect URI:
This URI is where Okta redirects the user after successful authentication. -
Sign-out Redirect URI:
Similar to the sign-in redirect URI, this is where Okta redirects the user after logging out. -
Initiate Login URI:
This URI is used when the application initiates the login flow. -
Example:
For a web application using OIDC, a typical sign-in redirect URI might look like:https://your-app.sharedo.co.uk/
Configuring ShareDo for Authentication with Okta
- Navigate to Admin > Integrations > Manage Identity Server.
- Click Add Provider > Add OpenID Provider, and complete the required fields in the System and Display Settings sections.
Note: The Display order sets where on the list of login methods to put this one. 0 indicates the top of the list. - Then in the OpenId Settings section:
-
OpenID Authority: Enter Okta's "OAuth 2.0 authorisation endpoint (v2)", but remove everything after the GUID (i.e. remove
oauth2/v2.0/authorize). It will look similar to:https://your-okta-domain.okta.com/ - OpenID Client ID: Enter the Application (client) ID from Okta.
-
OpenID Post Logout URL: Set this to your ShareDo instance URL (e.g.
https://customer.sharedo.co.uk).
If you're using seamless authentication with Okta:- Set the post logout URL to
https://[your-tenant]/security/signedOut - This avoids auto re-login behaviour when users try to sign out.
- Set the post logout URL to
- In the Advanced Settings section, specify identity claim matching logic.
- Use a comma-separated list to define fallback claims (e.g.
upn, email). UPN is the most common claim used to match the authenticated user to the ShareDo user record. However, it is not always provided in all circumstances (e.g., guest account access).
The identity claim setting here will match multiple comma-separated claims in order of precedence, so you can also have “upn, email” and it will match on “upn” first and if not available, then “email.” This ensures ShareDo matches the authenticated user to the correct user record.
- Finally, click Save. ShareDo will prompt the restart of the identity server. Click Yes.
Testing Authentication
To test authenticating a user in Okta, the user must exist in Okta.
- Navigate to Admin Portal > Users > All.
- Create a new user or edit an existing one.
Note that users can be automatically provisioned from Okta. This is discussed in the following section. - On the User Account blade:
- Set Active to Yes.
- Set Identity Provider to the Okta provider you configured.
- Set Identity Claim to the user’s UPN or email address, as configured in the advanced settings.
Test the integration by logging in to your ShareDo instance by selecting the login button for the Okta provider. Once this is successful, you can plan to disable Forms Authentication for ShareDo. If Okta is the only login mechanism available, users will not encounter this login screen; they will be logged in seamlessly.
Enabling Okta User Provisioning in ShareDo with SCIM
Complete the authentication setup before starting SCIM configuration.
Automatically provisioning Okta users to ShareDo
ShareDo supports the SCIM API and can be configured to accept provisioning requests from Okta.
The following sections provide a guide on configuring ShareDo for the automated provisioning of users and teams.
Step 1: Register a SCIM Client App in ShareDo
- Navigate to Admin > Integrations > Manage Identity Server.
- Click Add App > Add Client Credentials Application.
Enter the following:-
Client Name (e.g.
[Client] SCIM). -
Client ID (e.g.
[Client]SCIM). - Client Secret (use the randomise option if needed).
- Set a long-lived access token (e.g. 5 years).
- Save the app.
-
Client Name (e.g.
- Open the app if you closed it, and generate a Bearer Token by clicking Create a new access token. You will need to provide this when configuring Okta.
Step 2: Enable SCIM Feature in ShareDo
To enable SCIM in ShareDo, navigate to Modeller > Global Features and search for SCIM. Enable it and click the cog to configure it.
- Add a provider and configure SCIM users by entering the following details:
- Identity Provider: Select the Identity Provider (e.g. Okta) that will provide users to ShareDo.
-
Default User Type: Users added from your identity provider are assigned a ShareDo user type. This can be overridden by providing a mapping for a
userTypefrom your Okta, but it is common for users to be allocated to a common low-privilege user type. - Manager Connection: Some identity providers maintain an organisation's hierarchy and reporting line. This can be replicated in ShareDo, provided these users are also synchronised with ShareDo.
Step 3: (Optional) Configure Group to Team Mapping
Where groups serve as containers in the identity provider, those groups transform into teams in ShareDo. It is possible to assign permissions to these groups, ensuring that users within them possess a basic set of ShareDo permissions.
Alternatively, users can be assigned specific user types during provisioning or through manual action. By assigning users to specific types, they will be added to teams that subsequently have the appropriate permissions.
- New Teams Organisation: Teams must be part of organisations. It is most common for teams to be associated with your Organisation record.
- New Team ODS Type: Teams may also have their own 'type'. ShareDo team types can be used for access control (ACL) or task allocation (POD). AD groups can become teams within ShareDo, which are then used for task allocation or access control.
Configuring SCIM in Okta
- Log in to Okta with an admin account and navigate to Okta Admin > Applications > Applications > Browse App Catalog
- Search for the SCIM 2.0 OAuth Test App. Add the app integration.
- Enter a descriptive name for the Application label. Check the box that says Do not display application icon to users.
We're not setting up SSO (that needs to be a separate app with OIDC), so scroll down and click Done. - Click on the Provisioning tab, and then click Configure API Integration.
- Click Enable API Integration, and enter the SCIM 2.0 Base URL. The Base URL is:
https://{ShareDo-url}/api/scim/{identity-provider}
And paste the OAuth Bearer Token generated in ShareDo that you obtained during the Add client credentials application step.
Then click Test API Credentials to ensure everything is working correctly.
- Back in the Provisioning tab, click To App on the left side. Click Edit next to Provisioning to App, enable the features you'd like (e.g. Create, Update, Deactivate users), then click Save.
Okta is now configured as an authentication provider in ShareDo.