Configure Okta to manage your directory of users in Banyan

Okta is a leading cloud-based identity management system. Banyan integrates with your organization’s Okta account to authenticate enterprise users that need access to Banyan-secured services.

Pre-requisites

In order to set up this integration, you need administrative access to Okta and the ability to add a new application integration to Okta.

Supported Features

The Okta/Banyan Security integration currently supports the following features:

  • IdP-initiated SSO
  • SP-initiated SSO
  • JIT (Just In Time) Provisioning

Steps

1. In the Banyan Command Center, configure your User Identity Provider

1a. Navigate to Settings > TrustProvider Settings > Identity Provider and then set your Identity Provider Protocol to OIDC and your User Identity Provider to OKTA.

You will fill out these Identity Provider configuration fields after you set up the new application integration in Okta.

1b. Take note of the Redirect URL provided in the configuration field. You will need it for the steps in Okta below.

2. Launch a New Application Integration in Okta

2a. Log in to your Okta account.

2b. Switch to the Okta Classic UI for this guide.

2c. Navigate to Applications > Applications and then click Add Application.

2d. Click Create New App.

2e. Leave the Platform set to Web, set the Sign on method to OpenID Connect, and then click Create.

3. Create an Application Integration in Okta called “Banyan TrustProvider”

3a. Name the application integration Banyan TrustProvider and upload the Banyan Logo.

If you are configuring an application integration for Device Registration, then name this application Banyan DeviceRegistrationProvider.

3b. In Login redirect URIs field, use the Redirect URL you obtained in Step 1b, and then click Save.

4. Set the group claims for the Okta token

4a. Navigate to Sign On > OpenID Connect ID Token and then click Edit.

4b. Set the Group claims filter to Filter, name the claim groups, and set the Matches regex to .* to ensure the token issued by Okta contains all the user’s group information. Then, click Save.

5. Assign the “Banyan TrustProvider” application to “Everyone”

5a. Navigate to Assignments, then click Assign > Assign to Groups.

5b. Assign the Banyan TrustProvider app to “Everyone”, and then click Done. This will allow Banyan to federate authentication of all users in your organization to Okta.

Note: You still need to apply Policies in the Banyan Command Center to manage which users can access specific internal applications.

6. From the Banyan TrustProvider app in Okta, take note of the Issuer URL, Client ID, and Client Secret fields

6a. Return to Sign On tab and take note of the Issuer URL (Sign On). You will need it for the steps in the Banyan Command Center below.

Note: Banyan currently does not support Okta Custom URLs that aliases your Okta organization’s domain name to a subdomain that you own. That is, an IssuerURL of the form example.okta.com or example.oktapreview.com will work; however, an aliased IssuerURL of the form login.example.com will not work.

6b. Navigate to the General tab and take note of the Client ID and Client secret provided in the Client Credentials fields. You will need them in the Banyan Control Center below.

7. Save the Okta fields in the Banyan Command Center

If you are configuring Device Registration Provider for Passwordless Authentication, then enter the values using Device Registration Provider Config (optional) section.

7a. Return to the Identity Provider page in the Banyan Command Center (Settings > TrustProvider Settings > Identity Provider) and enter the Banyan TrustProvider App parameters from Okta:

  • Issuer URL (from Step 6a)
  • Client ID and Client Secret (both from Step 6b)

7b. Click Update Identity Provider Config to save the settings.


That’s it! You have successfully integrated Okta to manage your directory of users in Banyan.

Last modified: Jul 06, 2021