Here are the steps to configure Okta with Devolutions Hub Business for SSO authentication.
An Okta account with the appropriate rights is required.
Domain verification
In Devolutions Hub Business
-
Go to Administration – Authentication – Domain, then click on Verify domain.
Administration – Authentication – Domain – Verify domain -
Fill in your Domain, then click on Verify domain again.
Domain For security purposes, only emails that end with your domain name will be allowed to log in to Devolutions Hub using Okta authentication. For example, if your employees' emails are in the format "bob@windjammer.co", your domain is "windjammer.co".
-
Create a DNS TXT Record using the provided Hostname and TXT value. This allows us to verify the ownership of the domain supplied.
Hostname and TXT value We recommend that you verify that your configuration is adequate through DNS querying tools such as MXToolBox or whatsmydns.net. The example below uses MXToolBox's TXT Lookup tool. The first part of the Domain Name must match the Hostname in Devolutions Hub and the Record must match the TXT value in Devolutions Hub as well.
DNS TXT Records can take a while to propagate.
DNS TXT Record in MXToolBox -
If everything matches up, click Done.
Done -
Wait for the verification status to change from Pending to Verified.
Verified domain verification This validation lasts for 48 hours and does not restart automatically after that period. If you do not configure your TXT record within those 48 hours, your validation status will be Expired. If that happens, you can click on Retry.
If you experience any issues while trying to verify your domain, visit our Domain validation troubleshooting guide.
Single Sign-On (SSO) configuration
-
Once the domain is verified, go to Administration – Authentication – Single Sign-On (SSO), then click on Okta Single Sign-On (SSO). You will be directed to the configuration page.
Administration – Authentication – Single Sign-On (SSO) – Okta Single Sign-On (SSO) -
Name your SSO configuration. This name will only appear in your Devolutions Hub SSO settings menu. The default name is "Okta".
Configuration name Do not close this setup page, as the following steps will show you where to find the information to enter in its fields.
In Okta
-
Log in to your Okta account.
-
In Applications, click Create App Integration.
Applications – Create App Integration -
For the Sign-in method, select OIDC - OpenID Connect.
Sign-in method – OIDC - OpenID Connect -
For the Application type, select Web Application.
Application type – Web Application -
Click Next. The New Web App Integration settings page will appear.
-
Under General Settings, enter an App integration name.
App integration name The app name does not need to match the one in Devolutions Hub. We recommend including either "Devolutions" or "Hub" in the name.
-
In Grant type, check Refresh Token and Implicit (hybrid).
Grant type
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, copy the Callback URL by clicking on the Copy to Clipboard icon next to it.
Copy the Callback URL
In Okta
- Back in Okta, paste the Callback URL in the Sign-in redirect URIs field.
Sign-in redirect URIs
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, copy the Logout redirect URL by clicking on the Copy to Clipboard icon next to it.
Copy the Logout redirect URL
In Okta
-
Back in Okta, paste the Logout redirect URL in the Sign-out redirect URIs field.
Sign-out redirect URIs -
Under Assignments, select the Controlled access option that best suits your needs. This choice is left to your discretion.
If you choose to Allow everyone in your organization to access, do not check the Enable immediate access with Federation Broker Mode option, as doing so would prevent you from enabling SCIM provisioning in the future. If you choose to Limit access to selected groups or Skip group assignment for now, you must manually assign to this app the users you wish to authorize to connect to your Devolutions Hub Business via Okta.
Assignments -
Click Save. You will be redirected to your new SSO application.
-
Copy the Client ID by clicking on the Copy to clipboard icon next to it.
Copy the Client ID
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, paste the Client ID from the last step in the field of the same name.
Client ID
In Okta
- Back in Okta, copy the Client secret by clicking on the Copy to clipboard icon next to it.
Copy the Client secret
Do not close this setup page, as the following steps will require you to make further changes in it.
In Devolutions Hub Business
-
Back on the Configure Single Sign-On (SSO) page, paste the Client secret from the last step in the Client secret Key field.
Client secret Key -
In Discovery URL, enter the URL you use to access Okta, without the "-admin" part.
Do not test the connection just yet, as a few additional steps are required in Okta.
Discovery URL
In Okta
- Click Edit in the General Settings section.
Edit the General Settings - Set the Refresh token behavior to Rotate token after every use.
Rotate token after every use - Click Save.
- In the Assignment tab at the top, make sure each user you want to use to test the configuration is assigned to the application. For more details, see Okta's own documentation on user management and application assignment.
Assignment
In Devolutions Hub Business
- Test the configuration in Devolutions Hub. A new window should open to connect you to Devolutions Hub through Okta. You will get a success message when connected.
If the popup does not appear, your browser or browser extension may be blocking it. You will need to change your browser and/or extension settings. If this still does not work, deactivating/removing the extension or changing your browser may also solve the problem.
- Click Save in the Summary of your Okta SSO configuration.
Save the configuration
You should now see that the SSO configuration has a green checkmark icon next to it. This means that your SSO configuration through Okta is now enabled on your hub.
Provisioning configuration
Synchronize your users and user groups from your providers to the hub.
Settings
This feature will be available soon!