OKTA SAML 2.0: Enabling Single Sign-On and User Auto-Provisioning with ThreatCanvas On-Premisis

OKTA SAML 2.0: Enabling Single Sign-On and User Auto-Provisioning with ThreatCanvas On-Premisis

OKTA SAML 2.0

When enabling Single Sign-On (SSO), work with your organization’s Integrations Engineer to ensure a smooth onboarding process before commencing the training program.

SecureFlag supports SAML 2.0 or OAuth 2.0 / OIDC protocols.

For the auto-provisioning of users and teams, SecureFlag also supports SCIM 2.0.

This guide provides instructions for setting up Single Sign-On on OKTA via SAML using a custom Okta App.

Supported Features

  1. SP-initiated SSO
  2. IDP-initiated SSO
  3. SCIM

Requirements

  1. Users will need to be setup on the SecureFlag platform. Make sure that the users’ emails match those of their Okta accounts.
  2. Complete the steps below to set everything up.

Configuration Steps

  1. Create a new app integration in the Okta Admin Console.





  2. Configure the SAML integrations. In the following example the URL https://threatcanvastesting.com is used for the customer on-prem instance.


  3. In the Sign On tab, take note of the “Sign on URL”, “Issuer” and download the “Signing Certificate”. Navigate to the SAML Setup menu on the SecureFlag platform and insert this data there. Refer to this article for more info.




  4. Follow the relevant Okta guide to assign the App to Users or Groups.

For additional support please contact support from here

SCIM 2.0

SecureFlag supports the SCIM 2.0 protocol for auto-provisioning and deprovisioning users and teams. Work with your CSM to ensure the SSO integration's correctness before diving into the SCIM configuration.

The following guide provides instructions for setting up provisioning.

Supported Features

  1. Create users
  2. Update user attributes
  3. Deactivate users
  4. Group push

Requirements

  1. Users require an account on the SecureFlag platform. Make sure that the users’ emails match those of their Okta accounts.
  2. Complete the steps below to set everything up.
Alert
IMPORTANT!!!

SCIM integration must be tested before deployment to all accounts.

To test, create a small group of 1-2 accounts to be provisioned to SecureFlag. Once your Customer Success Manager confirms the integration, you may proceed to onboard the rest of the users.

If you are the integration engineer, request an email confirmation from a SecureFlag customer success engineer before pushing a group for testing or onboarding for the first time. You can reach them at success@secureflag.com

Pushing to a large group of users may result in all accounts within the group receiving an email invite before the onboarding date, which will affect the program.

Configuration Steps

  1. From the Okta admin page, click on the ThreatCanvas Demo application and enable SCIM.


  2. Switch to the Provisioning tab.

  3. Click on Configure API Integration.


  4. Enter the Secret Token (see this article to get token). Then click on Test API Credentials. Ensure you receive the message SecureFlag was verified successfully!

  5. Click on the To App tab. Click on Edit and enable Create Users, Update User Attributes, and Deactivate Users. Then click on Save.


  6. Ensure the mappings are kept to the minimum required.



User Deactivation and Deletion Process

When a user is removed from a group, app assignment, or the Directory, Okta marks them as “Inactive” in SecureFlag. This is standard Okta behavior and cannot be customized or configured.

Inactive users still count toward your active license total, and their data remains stored on the platform.

To permanently delete these users, you can either:
  1. Manually remove them through the SecureFlag management interface, or
  2. Use an automated workflow in Okta (details below).

Delete SCIM API Endpoint

To delete users, set up a workflow in Okta to issue a request to the SCIM’s DELETE endpoint, To do so, follow the below steps:
  1. Go to the Okta Workflow Console. This can be found under Workflow > Workflows Console from the main Okta page.


  2. From the Connections page, click New Connection. Then, find SecureFlag.


  3. In the New Connection dialog, add a string to the Name textfield. This is useful when creating multiple connections to share with your team.


  4. Paste the SCIM token created in the prerequisites section into the SCIM Authentication Token field. Click Create.


  5. Now, you have access to the Remove User License card as part of the SecureFlag Connector. Below is an example workflow that removes the SecureFlag license of a user when their account is deactivated.


SecureFlag Okta User Delete Workflow Connector

Authorization

Generate a SCIM token using the instructions here. Then, create a connection as follows:
  1. From the Connections page, click New Connection.

  2. In the New Connection dialog, add a string to the Connection Nickname dialog. This is useful when creating multiple connections to share with your team.

  3. Paste the SCIM token created in the prerequisites section into the SCIM Authentication Token field.

  4. Click Create.

Cards - Remove SecureFlag License

Removes a SecureFlag license corresponding to the given user email. Returns nothing unless an error occurs.

Inputs:
Label
Definition
Type
Required
User Email
User Email of the SecureFlag license to remove
Text
Yes

Outputs:
Label
Definition
Type
User Email
User Email of the SecureFlag license to remove
Number

You can find the example flow in Delete SCIM API Endpoint section.

    • Related Articles

    • Single SignOn and SCIM Platform Setup

      SecureFlag supports both SAML 2.0. SCIM 2.0 is also supported for the auto-provisioning of users and teams. Work with your Customer Success Manager to ensure the SSO configuration's correctness before diving into the training program. This guide will ...