Skip to main content

How to Setup SSO via SCIM

This article describes the steps needed to enable Okta integration with Layer

Updated over 3 weeks ago

Prerequisites

In order to enable the Okta integration, you need to have an active Enterprise plan with Layer. If you haven't already done so, please go to your workspace plan settings and subscribe to an Enterprise plan.

Supported Features

Layer's Okta integration supports the following features:

For more information on the listed features, visit the Okta Glossary.

Configuration Steps

For OIDC Integration

  1. In Okta, Go to Applications β†’ Create App Integration.

  2. Choose OIDC as the Sign-in method. Choose Web Application as your Application Type. Click Next.

  3. Enter "https://auth.app.layer.ai/login/callback" into the Sign-in redirect URIs.

  4. Enter "https://app.layer.ai" into the Sign-out redirect URIs.

  5. If you'd like to be able to initiate login from Okta:

    1. Choose "Either Okta or App" for Login initiated by

    2. Set Application visibility checkboxes as needed

    3. Choose "Redirect to app to initiate login" for Login flow

    4. Enter "https://app.layer.ai/login" into the Initiate login URI

  6. Click Create.

  7. Assign the users or groups that should be able to log into Layer.

  8. Note the Client ID and Client Secret.

  9. Contact [email protected] with the following information:

    1. Okta Domain (looks like acme.okta.com)

    2. Client ID

    3. Client Secret

For SAML Integration

  1. Reach out to [email protected] to get the connection name for your workspace.

  2. In Okta, Go to Applications β†’ Create App Integration.

  3. Choose SAML 2.0 as the Sign-in method. Click Next.

  4. Enter "https://auth.app.layer.ai/login/callback?connection=<connection>" into the Single sign-on URL.

  5. Ensure Use this for Recipient URL and Destination URL is checked.

  6. Enter "urn:auth0:layer-stack-app:<connection>" into the Audience URI (SP Entity ID).

  7. Under "Attribute Statements (optional)", add the following:

    1. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, Value: user.email

    2. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, Value: user.name

    3. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, Value: user.given_name

    4. Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, Value: user.family_name

    5. Name: email_verified, Value: true

    6. [Optional] Name: profile_picture, Value: user.profilePicture (or whichever field you use for profile pictures)

  8. [Optional] If you'd like to sign your requests, you can sign them using the public certificate at https://auth.app.layer.ai/pem?cert=<connection>

  9. Click Create.

  10. Assign the users or groups that should be able to log into Layer.

  11. Contact [email protected] with the following information:

    1. Okta Domain (looks like acme.okta.com)

    2. Metadata URL

    3. SHA-2 SAML Signing Certificate

For SCIM Integration

Note that this integration only works with SAML applications on Okta.

  1. Get a personal access token from https://app.layer.ai/settings/tokens. You can name this token "SCIM" to make it easier to manage your tokens.

  2. In Okta, go to your SAML application and open the Provisioning tab. Under the SCIM connection, fill the form with the following information:

    1. SCIM version: 2

    2. SCIM connector base URL: https://app.layer.ai/backend/scim/v2/

    3. Unique identifier field for users: userName

    4. Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups

    5. Authentication mode: HTTP Header

    6. Authorization: Bearer <personal access token from Step 1>

  3. Click Save.

  4. Got to the Provisioning tab again, and click Edit.

  5. Enable Create Users, Update User Attributes and Deactivate Users

Did this answer your question?