This article describes how to integrate Okta with Anodot Cost. You can create the integration using SAML or OpenID.
OKTA Using SAML
- Access OKTA admin Console.
- Navigate to Applications > Applications page, and click on Create App Integration.
- Choose SAML 2.0 and click on Next.
- In the SAML setting enter the following:
- Single sign-on URL: https://mypileus.auth.us-east-1.amazoncognito.com/saml2/idpresponse
- Audience URI (SP Entity ID): urn:amazon:cognito:sp:us-east-1_Uv6ArNdSK
Name ID format: EmailAddress
- Application username: Email -
Under the section of Attribute Statement write the following:
- Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- Value: user.email - Click on Next, and Finish.
- Navigate to Directory > Profile editor page and click on the Application you just created.
- Click on Add Attribute and enter the following information:
- Display name: anodot cost role
- Variable name: anodot_cost_role
- Enable the “Define enumerated list of values”
- Under the attribute members value enter the role IDs you received from Anodot
- Enable the Attribute required checkbox
- For Attribute type choose the group option - Click on Save Attribute.
- Navigate to the Applications > Applications page and click on the application you created.
- Under the general tab, click on Edit SAML Settings.
- Under the Attribute Statement write the following:
- Name: anodotCostRole
- Value: appuser.anodot_cost_role - Navigate to the Sign On tab and copy the Metadata URL - save and send it to Anodot support to complete the configuration on Anodot's side (support@anodot.com).
- Under the Assignments tab, you can invite users to Anodot platform.
OKTA Using OpenID
- Access OKTA admin Console.
- Navigate to Applications > Applications page, and click on Create App Integration.
- Choose the following for the application:
- Sign-in mrthos: OIDC - OpenID Connect
- Applicate type: Web Application - In the App setting enter the following:
- Sign-in redirect URIs: https://mypileus.auth.us-east-1.amazoncognito.com/saml2/idpresponse
- Controlled access: Skip group assignment for now
As part of the SSO integration, follow the steps below to add users and management roles from the IDP (identity provider):
- Navigate to Directory > Profile editor page and click on the User (default).
- Click on Add Attribute and enter the following information:
- Display name: anodot cost role
- Variable name: anodot_cost_role - Click on Save Attribute.
- Navigate to Directory > Profile editor page and click on the application you created in step #2.
- Click on Add Attribute and enter the following information:
- Display name: anodot cost role
- Variable name: anodot_cost_role
- Enable the “Define enumerated list of values”
- Under the attribute members value enter the role IDs you received from Anodot
- Enable the Attribute required checkbox
- For Attribute type choose the group option - Click on Save Attribute.
- From the Profile Editor page, under the application you created, click on Mapping.
- Under the OKTA user to <your_application_name> map the following:
- Click on Save Mapping.
- Under the <your_application_name> to OKTA user map the following:
- Click on Save Mapping, and Apply updates now.
- Navigate to the Applications page and choose the application you created in step #2.
-
Copy the following values and forward them to Anodot support to complete the configuration on Anodot's side (support@anodot.com):
- Client ID (go to General > Client Credentials > Client ID)
- Client secret (go to General > Client Credentials > Client secret)
- The issuer (go to Sign On > OpenID Connect ID Token > Issuer)
- A list of all email domains.
- Under the Assignments tab, you can invite users to the Anodot platform.