Configure SSO authentication with Okta

On this page
Contribute

Here are the steps to configure Okta with Devolutions Hub Business for SSO authentication.

An Okta account with the appropriate rights is required.

Domain verification

In Devolutions Hub Business

  1. Go to Administration – Authentication – Domain, then click on Add Domain.

    Administration – Authentication – Domain – Add domain
    Administration – Authentication – Domain – Add domain

  2. Fill in your domain, then click on the checkmark to start the verification process.

    Domain
    Domain

    For security purposes, only emails that end with your domain name will be allowed to log in to Devolutions Hub using Okta authentication. For example, if your employees' emails are in the format "bob@windjammer.co", your domain is "windjammer.co".

  3. To have multiple domains, click Add Domain once again, fill in your other domain, then click on the checkmark. Repeat this process for every domain you wish to add.

    Multiple domains
    Multiple domains

  4. Create a DNS TXT Record using the provided Host name and TXT value. This allows us to verify the ownership of the domain(s) supplied.

    Host name and TXT value
    Host name and TXT value

    We recommend that you verify that your configuration is adequate through DNS querying tools such as MXToolBox or whatsmydns.net. The example below uses MXToolBox's TXT Lookup tool. The first part of the Domain Name must match the Host name in Devolutions Hub and the Record must match the TXT value in Devolutions Hub as well.

    DNS TXT Records can take a while to propagate.

    DNS TXT Record in MXToolBox
    DNS TXT Record in MXToolBox

  5. Await domain verification. Upon successful verification, a checkmark within a green circle will display next to the domain. You may proceed to configure Single Sign-On (SSO) during the verification process; however, user provisioning will become accessible only after the domain has been verified.

    Verified domain
    Verified domain

    This validation lasts for 48 hours and does not restart automatically after that period. If you do not configure your TXT record within those 48 hours, your validation status will be Expired. If that happens, you can click on Retry.

    If you experience any issues while trying to verify your domain, visit our Domain validation troubleshooting guide.

Single Sign-On (SSO) configuration

  1. Go to Administration – Authentication – Single Sign-On (SSO), then click on Okta Single Sign-On (SSO). You will be directed to the configuration page.

    Administration – Authentication – Single Sign-On (SSO) – Okta Single Sign-On (SSO)
    Administration – Authentication – Single Sign-On (SSO) – Okta Single Sign-On (SSO)

  2. Name your SSO configuration. This name will only appear in your Devolutions Hub SSO settings menu. The default name is "Okta".

    Configuration name
    Configuration name

    Do not close this setup page, as the following steps will show you where to find the information to enter in its fields.

In Okta

  1. Log in to your Okta account.

  2. In Applications, click Create App Integration.

    Applications – Create App Integration
    Applications – Create App Integration

  3. For the Sign-in method, select OIDC - OpenID Connect.

    Sign-in method – OIDC - OpenID Connect
    Sign-in method – OIDC - OpenID Connect

  4. For the Application type, select Web Application.

    Application type – Web Application
    Application type – Web Application

  5. Click Next. The New Web App Integration settings page will appear.

  6. Under General Settings, enter an App integration name.

    App integration name
    App integration name

    The app name does not need to match the one in Devolutions Hub. We recommend including either "Devolutions" or "Hub" in the name.

  7. In Grant type, check Refresh Token and Implicit (hybrid).

    Grant type
    Grant type

In Devolutions Hub Business

  1. Back on the Configure Single Sign-On (SSO) page, copy the Callback URL by clicking on the Copy to Clipboard icon next to it.
    Copy the Callback URL
    Copy the Callback URL

In Okta

  1. Back in Okta, paste the Callback URL in the Sign-in redirect URIs field.
    Sign-in redirect URIs
    Sign-in redirect URIs

In Devolutions Hub Business

  1. Back on the Configure Single Sign-On (SSO) page, copy the Logout redirect URL by clicking on the Copy to Clipboard icon next to it.
    Copy the Logout redirect URL
    Copy the Logout redirect URL

In Okta

  1. Back in Okta, paste the Logout redirect URL in the Sign-out redirect URIs field.

    Sign-out redirect URIs
    Sign-out redirect URIs

  2. Under Assignments, select the Controlled access option that best suits your needs. This choice is left to your discretion.

    If you choose to Allow everyone in your organization to access, do not check the Enable immediate access with Federation Broker Mode option, as doing so would prevent you from enabling SCIM provisioning in the future. If you choose to Limit access to selected groups or Skip group assignment for now, you must manually assign to this app the users you wish to authorize to connect to your Devolutions Hub Business via Okta.

    Assignments
    Assignments

  3. Click Save. You will be redirected to your new SSO application.

  4. Copy the Client ID by clicking on the Copy to clipboard icon next to it.

    Copy the Client ID
    Copy the Client ID

In Devolutions Hub Business

  1. Back on the Configure Single Sign-On (SSO) page, paste the Client ID from the last step in the field of the same name.
    Client ID
    Client ID

In Okta

  1. Back in Okta, copy the Client secret by clicking on the Copy to clipboard icon next to it.
    Copy the Client secret
    Copy the Client secret

Do not close this setup page, as the following steps will require you to make further changes in it.

In Devolutions Hub Business

  1. Back on the Configure Single Sign-On (SSO) page, paste the Client secret from the last step in the Client secret Key field.

    Client secret Key
    Client secret Key

  2. In Discovery URL, enter the URL you use to access Okta, without the "-admin" part.

    Do not test the connection just yet, as a few additional steps are required in Okta.

    Discovery URL
    Discovery URL

In Okta

  1. Click Edit in the General Settings section.
    Edit the General Settings
    Edit the General Settings
  2. Set the Refresh token behavior to Rotate token after every use.
    Rotate token after every use
    Rotate token after every use
  3. Click Save.
  4. In the Assignment tab at the top, make sure each user you want to use to test the configuration is assigned to the application. For more details, see Okta's own documentation on user management and application assignment.
    Assignment
    Assignment

In Devolutions Hub Business

  1. Test the configuration in Devolutions Hub. A new window should open to connect you to Devolutions Hub through Okta. You will get a success message when connected.

If the popup page does not appear, see Devolutions login page does not open in the browser.

  1. Click Save in the Summary of your Okta SSO configuration.
    Save the configuration
    Save the configuration

You should now see that the SSO configuration has a green checkmark icon next to it. This means that your SSO configuration through Okta is now enabled on your hub.

Active SSO configuration
Active SSO configuration

Provisioning configuration

Synchronize your users and user groups from your providers to the hub.

Settings

This feature will be available soon!

Give us Feedback