Prerequisites
In order to enable the Okta integration, you need to have an active Enterprise plan with Layer. If you haven't already done so, please go to your workspace plan settings and subscribe to an Enterprise plan.
Supported Features
Layer's Okta integration supports the following features:
SP-initiated SSO (Single Sign-On)
IdP-initiated SSO (through Third-party Initiated Login)
Just-In-Time provisioning
For more information on the listed features, visit the Okta Glossary.
Configuration Steps
For OIDC Integration
In Okta, Go to Applications β Create App Integration.
Choose OIDC as the Sign-in method. Choose Web Application as your Application Type. Click Next.
Enter "https://auth.app.layer.ai/login/callback" into the Sign-in redirect URIs.
Enter "https://app.layer.ai" into the Sign-out redirect URIs.
If you'd like to be able to initiate login from Okta:
Choose "Either Okta or App" for Login initiated by
Set Application visibility checkboxes as needed
Choose "Redirect to app to initiate login" for Login flow
Enter "https://app.layer.ai/login" into the Initiate login URI
Click Create.
Assign the users or groups that should be able to log into Layer.
Note the Client ID and Client Secret.
Contact [email protected] with the following information:
Okta Domain (looks like acme.okta.com)
Client ID
Client Secret
For SAML Integration
Reach out to [email protected] to get the connection name for your workspace.
In Okta, Go to Applications β Create App Integration.
Choose SAML 2.0 as the Sign-in method. Click Next.
Enter "https://auth.app.layer.ai/login/callback?connection=<connection>" into the Single sign-on URL.
Ensure Use this for Recipient URL and Destination URL is checked.
Enter "urn:auth0:layer-stack-app:<connection>" into the Audience URI (SP Entity ID).
Under "Attribute Statements (optional)", add the following:
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, Value: user.email
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name, Value: user.name
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, Value: user.given_name
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, Value: user.family_name
Name: email_verified, Value: true
[Optional] Name: profile_picture, Value: user.profilePicture (or whichever field you use for profile pictures)
[Optional] If you'd like to sign your requests, you can sign them using the public certificate at https://auth.app.layer.ai/pem?cert=<connection>
Click Create.
Assign the users or groups that should be able to log into Layer.
Contact [email protected] with the following information:
Okta Domain (looks like acme.okta.com)
Metadata URL
SHA-2 SAML Signing Certificate
For SCIM Integration
Note that this integration only works with SAML applications on Okta.
Get a personal access token from https://app.layer.ai/settings/tokens. You can name this token "SCIM" to make it easier to manage your tokens.
In Okta, go to your SAML application and open the Provisioning tab. Under the SCIM connection, fill the form with the following information:
SCIM version: 2
SCIM connector base URL: https://app.layer.ai/backend/scim/v2/
Unique identifier field for users: userName
Supported provisioning actions: Push New Users, Push Profile Updates, Push Groups
Authentication mode: HTTP Header
Authorization: Bearer <personal access token from Step 1>
Click Save.
Got to the Provisioning tab again, and click Edit.
Enable Create Users, Update User Attributes and Deactivate Users