Okta and OpenID Connect

Requirement

Administrator account in Okta

Supported features

Immuta's OpenID Connect integration supports the following features

• Service Provider (SP)-Initiated Authentication (SSO) Flow

• Identity Provider (IDP)-Initiated Authentication (SSO) Flow

Configuration steps

1 - Add the Immuta application in Okta

1. Log in to Okta as an Admin, navigate to the Applications tab, and click Add Application.

2. Search for Immuta in the search bar and click Add.

3. Choose a name for your integration and click Next. Then select the OpenID Connect button.

4. Scroll down and enter the Base URL for your Immuta tenant.

5. Enter the IAM ID for your Immuta OIDC integration (if you have not created an IAM ID, you will complete that step in the ).

6. Click Done and once the page reloads, navigate back to the Sign On tab and copy down the Client ID and Client secret.

Attribute matching for SCIM

Attribute matching allows you to determine how to uniquely identify a user in Okta and match that user in Immuta during login and provisioning. Immuta supports the following matching attributes in Okta:

• Users:

  • id

  • userName

  • email

  • displayName

  • emails[type eq "work"].value

• Groups

  • id

  • displayName

2 - Add OpenID Connect in Immuta

1. Log in to Immuta and click the App Settings icon in the navigation menu.

2. Click the Add IAM button and enter a Display Name.

3. Select OpenID from the Identity Provider Type dropdown menu.

4. If required, navigate back to Okta and enter the IAM ID below the Base URL then complete the steps from the Okta section.

3 - Configure OpenID Connect

1. In the Identity Management section of the Immuta console, enter the Client ID and Client Secret you copied from Okta in the previous section.

2. Enter the following URL in the Discover URL field: https://<your_okta_workspace.com>/.well-known/openid-configuration.

3. Opt to add additional Scopes.

4. Opt to Enable SCIM support for OpenID by clicking the checkbox, which will generate a SCIM API Key. Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.

5. In the Profile Schema section, map attributes in OpenID to automatically fill in a user's Immuta profile. Note: Fields that you specify in this schema will not be editable by users within Immuta.

6. Opt to Allow Identity Provider Initiated Single Sign On to use the IDP-Initiated SSO feature by selecting the checkbox.

7. Opt to Migrate Users from another IAM by selecting the checkbox.

4 - Test connection and save configuration

1. Click the Test Connection button.

2. Once the connection is successful, click the Test User Login button.

3. Click Save.