Okta (SAML2 SSO, SCIM Provisioning)

Okta can be connected to Flexopus via the standard authentication protocol SAML2. You can also configure the SCIM API for user synchronization.

This article will cover the following instructions:

What is Okta?

It's an enterprise-grade, identity management service, built for the cloud, but compatible with many on-premises applications. With Okta, IT can manage any employee's access to any application or device. Okta runs in the cloud, on a secure, reliable, extensively audited platform, which integrates deeply with on-premises applications, directories, and identity management systems.

Visit the official website for more information: https://www.okta.com/

SAML2 Single Sign On (SSO) configuration between Okta and Flexopus for user authentication

Follow the instructions:

  1. Go to your Okta Dashboard and click on the Applications > Applications tab on the Create App Integration Button.
  2. A popup will open. Select the SAML2.0 option and click on "Next".
  3. App name: Flexopus
    Logo: Leave it empty.
    Option: Leave the unselected.
  4. Single sign On URL:
    Audience URl (SP Entity ID) :
    Name ID format: Persisten
    Default RelayState: initiate-sp-login
  5. No need to change the Advanced Settings, still here is a screenshot about the default settings:
  6. Select: I'm an Okta customer adding an internal app
    Select: It's required to contact the vendor to enable SAML
    You can optionally give some information to Okta about Flexopus:
    (optional) First Field: https://flexopus.com
    (optional) Second Field: https://help.flexopus.com/de/integration-okta-sso
    (optional) Third Field: no tips and additional comments.
    Click on "Finish" at the end.
  7. Click on the "View SAML setup instructions"
  8. Configure the correct attribute mappings.
    *Note that the department and the jobtitle is only an optional attribute for Flexopus. You can also leave it empty.
    Name Name format Value
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URl Reference user.firstname
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URl Reference user.email
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn URl Reference user.login
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URl Reference user.lastName
    department Basic user.department
    jobtitle Basic user.title
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name URl Reference user.displayName

  9. To finish the configuration, we need to share the metadata with Flexopus. Since Okta provides neither a direct metadata URL nor a Metadata File, you need to create the Metadata file for yourself like this:
    Copy the content of the optional field in the bottom called: "Provide the following IDP metadata to your SP provider."
    Create an empty XML file locally on your PC and copy the content into it.
  10. Go to the Flexopus Dashboard. Settings > Authentication > Add provider > SAML2 SSO 
    Activate the SAML2 SSO
    Select the configuration method 'Metadata File'
    Upload the XML File
    SAML2 Label: SSO Login (this will be text on the login button)
    Synchronize Groups: Leave it empty. This is only relevant for the customers that have no SCIM connection at their IDP provider. Okta provides a SCIM API for group and user provisioning.
    Don't forget to save the settings in the bottom.
  11. Assign a test user to the application and test the connection at Flexopus.
  12. (optional) If you want to use only the SSO for login, deactivate the Password + Email login form at Flexopus (We recommend doing it after you finished the SCIM configuration.):
  13. (optional) Troubleshooting:
    Please check the configuration manual again or contact our support: support@flexopus.com


SCIM API configuration between Okta and Flexopus for user and group provisioning 

The custom standard SCIM provisioning at OKTA is not working at the moment as intended. An issue was reported to the OKTA technical support team. Please skip this configuration manual and execute the configuration prozess as described in the OKTA SCIM WORKAROUND section (scroll down)
Date: 2023-10-30

Optionally, you can also configure a user and group provisioning between Okta and Flexopus.

Follow the instructions to configure SCIM:

  1. Click on "Edit" at the App Settings
  2. Select: Enable SCIM provisioning
  3. A new tab appears: Provisioning.
    Visit the Provisioning tab and click on "Edit"
  4. SCIM connector base URL: https://{your-flexopus-domain}/api/scim/v2
    Unique identifier field for users: userName
    Select options: Push New Users, Push Profile Updates, Push Groups
    Select option: HTTP Header
    Generate a token in Flexopus. (Settings > Single Sign On / Integrations > SCIM)
  5. Click on test. Test results looks like this:
  6. Save the settings.
  7. In the Provisioning tab select the "To App" menu point and click on Edit.
  8. Enable: Select Create Users
    Enable: Update User Attributes
    Enable: Deactivate Users
    The fourth option is not needed.
  9. Edit the attribute mapping to send only the necessary attributes through SCIM to Flexopus.
    Only keep the following mappings:
  10. The Display Name need to be changed.
    Attribute value:
String.len(user.displayName) > 0 ? user.displayName : user.firstName + " " + user.lastName

"Create and Update"

11.   Save the settings

12.   Test the connection by assigning a group to Flexopus. The groups should be synced to Flexopus within a few minutes. 

13.    (optional) Troubleshooting:
Please check the configuration manual again or contact our support: support@flexopus.com

OKTA SCIM Workaround

At the current time (2023-10-30), due to a malfunction at Okta, the SCIM interface must be set up in SCIM via a detour. The normal "application" that we used for the SAML2 connection offers the "Provisioning" option, but cannot be used due to a technical error on the part of Okta. The problem has been reported by us to Okta and we hope that it will change in the future. For the time being, you can use the alternative solution as follows:

Vor der Konfiguration lesen!
With Okta, the user groups are synchronized bidirectionally. In other words, you can send groups from Okta to Flexopus, but also from Flexopus to Okta. We don't need the second one, but we can't prevent it either, at least we haven't found a corresponding setting in Okta. For this reason, you should do the following before you configure:

 (1) Make sure that the names of the existing Flexopus groups do not overlap with the Okta groups, otherwise Okta will not be able to resolve the groups.

(2) Since the "To Okta" use case is not relevant for us, we can resolve all attribute mappings and limit the data exchange to Okta as much as possible.

  1. Install new app
    Application > Browse App Catalog--> SCIM 2.0 Test App (Header Auth)
  2. You can rename the application. For example: Flexopus SCIM App
  3. Unfortunately, SAML2 cannot be configured in this application, so you can skip the settings below with the "Done" button. We have already configured SAML2 with the other application anyway.
  4. Click on Provisioning and start the settings with "Configure API Integration"
  5. Base URL: https://{your-flexopus-domain}/api/scim/v2
    API Token: Bearer {scim-token} 
    Important! You must also insert the "Bearer" part!
  6. Enable: Select Create Users
    Enable: Update User Attributes
    Enable: Deactivate Users
  7. Edit the attribute mapping to send only the required attributes to Flexopus via SCIM.
    Keep only the following mappings:
  8. You can then link the groups to the application, to Assignment and to Push Groups.
  9. Test the connection by assigning a group to Flexopus. The groups should be synchronized with Flexopus within a few minutes.
  10. (optional) Troubleshooting:
    Please check the configuration again or contact our support team: support@flexopus.com