Using Okta as your Identity Provider (IdP)

Setting up federated authentication with Okta

If you are using Okta, you can find Mambu as an approved app within Okta. For easy setup, please go to the Okta integration network and search for Mambu.

To manually setup federated authentication with Okta, please follow the step-by-step guide below.

Step-by-step guide

Setup in Okta

1. Sign in to OKTA with an admin account and navigate to Applications > Add Application > Create New App (please make sure that the default display is Classic UI).
2. Create a new SAML 2.0 application.

3. Go to General Settings and enter an App name for the Okta SAML 2.0 application.

4. In the Configure SAML tab select Show Advanced Settings.
   When configuring the IdP please be sure to correctly configure Mambu Service Provider (SP) URL’s:

For Login: https://TENANT_NAME.mambu.com/saml/login or https://TENANT_NAME.env.mambu.com/saml/login
For Logout: https://TENANT_NAME.mambu.com/saml/logout or https://TENANT_NAME.env.mambu.com/saml/logout

5. Map SAML Attributes ( used for displaying the first and last name of the user and the username)

6. Enter the Group Attribute Statements for Mambu-Okta Role Mapping

7. In the Feedback tab, select the I'm an Okta customer adding an internal app option and then select Finish.

8. You will be redirected to the Sign On tab where SAML configuration settings can be accessed any time, by selecting View Setup Instructions.

Setup in Mambu

1. In Mambu, on the main menu, go to Administration > Access > Federated Authentication and select the Enable Sign Sign-On check box with the Manual Settings option selected as well. Enter the Name you would like to use for your IdP.
2. Enter the Single Sign-On Endpoint, use the Identity Provider Single Sign-On URL: from the IdP page "View Setup Instructions"
3. Enter the Certificate Fingerprint with the value of the following command:

openssl x509 -noout -fingerprint -sha256 -inform pem -in {/path/to/certificate-file.crt}

Remember to use the correct certificate name / path!

4. For the Issuer ID, type the Identity Provider Issuer from OKTA IdP
5. The ACS URL is optional. If filled, it is mapped with the value from the field Destination URL from the IdP page, "View Setup Instructions".

6. Select "Test SSO Connection" and enter the username and password of your OKTA account. The connection should be succesful and the next step is to select Save Changes. If you have any issues during the setup, please open a new topic on Mambu Community or contact our support team.

Add and Assign Users and respective Roles

1. Sign in as an admin and go to Directory > People, and select Add Person.

2. Add values for the required fields: First name, Last name, Username, and Primary email.
3. If the user already exists in Mambu, then the username and email fields should have the same value that exists in Mambu for that user. Please take into consideration that the username and email should be unique.
4. In order to assign the Mambu SAML App to a user, from the user profile select the Assign Applications tab. Then select an application and select Assign.
   

How to Add and Assign Mambu Roles through Okta

1. Sign in as an admin, go to Directory > Groups, and select Add Group. Add a name and a description.
   2. Make sure the group name from Okta is an exact match with the role name in Mambu so that users will inherit the Mambu role immediately after Okta Group assignment.
2. Select the group name and select Add Members. Search for the user that should be assigned to that role/group.