- 11 Sep 2024
- 4 Minutes To Read
- Print
- DarkLight
- PDF
Using Okta as your Identity Provider (IdP)
- Updated On 11 Sep 2024
- 4 Minutes To Read
- Print
- DarkLight
- PDF
To set up federated authentication with Okta for Mambu, follow these steps: In Okta, create a new SAML 2.0 application for Mambu, configure IdP settings, map SAML attributes, and set up Okta role mapping. In Mambu, enable federated authentication, enter IdP details, and test the SSO connection. Add and assign users and roles in Mambu and Okta, ensuring group names match Mambu roles. Create group-based role mappings in Okta to send correct roles to SAML configuration. Assign branch IDs to users in Okta by creating a custom attribute named "BranchID." Set the attribute length, user permission, and source priority. Group-level assignment of branch IDs is possible for specific applications. For detailed instructions, refer to the provided links.
Setting up federated authentication with Okta
If you are using Okta, you can find Mambu as an approved app within Okta. For easy setup, please go to the Okta integration network and search for Mambu.
To manually setup federated authentication with Okta, please follow the step-by-step guide below.
Setup in Okta
- Sign in to Okta with an admin account and navigate to Applications > Add Application > Create App Integration.
- Create a new SAML 2.0 application.
- Go to General Settings and enter an App name for the Okta SAML 2.0 application.
- In the Configure SAML tab select Show Advanced Settings.
When configuring the IdP please be sure to correctly configure Mambu Service Provider (SP) URL’s:
For Login: https://TENANT_NAME.mambu.com/saml/login
or https://TENANT_NAME.env.mambu.com/saml/login
For Logout: https://TENANT_NAME.mambu.com/saml/logout
or https://TENANT_NAME.env.mambu.com/saml/logout
- Map SAML Attributes ( used for displaying the first and last name of the user and the username)
- Enter the Group Attribute Statements for Mambu-Okta Role Mapping
- In the Feedback tab, select the This is an internal app that we have created option and then select Finish.
- You will be redirected to the Sign On tab where SAML configuration settings can be accessed any time, by selecting View SAML Setup Instructions.
Make sure you have at least one user created and migrated into your IdP and that that user is assigned to the SAML app.
Setup in Mambu
- In Mambu, on the main menu, go to Administration > Access > Federated Authentication and select the Enable Sign Sign-On check box with the Manual Settings option selected as well. Enter the Name you would like to use for your IdP.
- Enter the Single Sign-On Endpoint, use the Identity Provider Single Sign-On URL: from the IdP page "View Setup Instructions"
- Enter the Certificate Fingerprint with the value of the following command:
openssl x509 -noout -fingerprint -sha256 -inform pem -in {/path/to/certificate-file.crt}
Remember to use the correct certificate name / path!
- For the Issuer ID, type the Identity Provider Issuer from OKTA IdP
- The ACS URL is optional. If filled, it is mapped with the value from the field Destination URL from the IdP page, "View Setup Instructions".
- Select "Test SSO Connection" and enter the username and password of your OKTA account. The connection should be succesful and the next step is to select Save Changes. If you have any issues during the setup, please open a new topic on Mambu Community or contact our support team.
Add and assign users and respective roles
- Sign in as an admin and go to Directory > People, and select Add Person.
- Add values for the required fields: First name, Last name, Username, and Primary email.
- If the user already exists in Mambu, then the username and email fields should have the same value that exists in Mambu for that user. Please take into consideration that the username and email should be unique.
- In order to assign the Mambu SAML App to a user, from the user profile select the Assign Applications tab. Then select an application and select Assign.
Add and assign Mambu Roles through Okta
- Sign in as an admin, go to Directory > Groups, and select Add Group. Add a name and a description.
2. Make sure the group name from Okta is an exact match with the role name in Mambu so that users will inherit the Mambu role immediately after Okta Group assignment. - Select the group name and select Add Members. Search for the user that should be assigned to that role/group.
Every time a user signs in, we look through the list of groups the user belongs to in Okta, and try to find any exact match with a Mambu role setup on your instance. Please make sure every user has only one Mambu role/group assigned to them.
Map group-based roles in Okta
By default, Okta sends a role name of "Everyone" to the SAML configuration. To prevent this, you will need to create a mapping in Okta of group-based roles, which will ensure that it sends the correct roles to the SAML configuration.
For assistance, refer to this page: Enable group-based role mapping in Okta.
Assign branch IDs through Okta
For each of your users, you must also define the branch they are assigned to in Okta. For more information, see Managing Users under Federated Authentication - Branch assignment.
The following are the main steps to perform branch assignment using Okta as your IdP:
Use the following instructions to create a custom attribute in your profile named "BranchID": Add custom user attributes.
Use the following attributes:
- Attribute length: Less than 100
- User permission: Read-Write
- Source priority: Inherit from profile source
If you want to all the users for a specific application to be assigned the same branch ID, then you may set the value of the
BranchID
attribute at the group level. For more information, see Add custom attributes to a default Okta group profile.