Here are the steps to configure Okta with Devolutions Hub Business for SSO authentication.
An Okta account with the appropriate rights is required.
Domain verification
In Devolutions Hub Business
-
Go to Administration – Authentication – Domain, then click on Add Domain.
-
Fill in your domain, then click on the checkmark to start the verification process.
For security purposes, only emails that end with your domain name will be allowed to log in to Devolutions Hub using Okta authentication. For example, if your employees' emails are in the format "bob@windjammer.co", your domain is "windjammer.co".
-
To have multiple domains, click Add Domain once again, fill in your other domain, then click on the checkmark. Repeat this process for every domain you wish to add.
-
Create a DNS TXT Record using the provided Host name and TXT value. This allows us to verify the ownership of the domain(s) supplied.
We recommend that you verify that your configuration is adequate through DNS querying tools such as MXToolBox or whatsmydns.net. The example below uses MXToolBox's TXT Lookup tool. The first part of the Domain Name must match the Host name in Devolutions Hub and the Record must match the TXT value in Devolutions Hub as well.
DNS TXT Records can take a while to propagate.
-
Await domain verification. Upon successful verification, a checkmark within a green circle will display next to the domain. You may proceed to configure Single Sign-On (SSO) during the verification process; however, user provisioning will become accessible only after the domain has been verified.
This validation lasts for 48 hours and does not restart automatically after that period. If you do not configure your TXT record within those 48 hours, your validation status will be Expired. If that happens, you can click on Retry.
If you experience any issues while trying to verify your domain, visit our Domain validation troubleshooting guide.
Single Sign-On (SSO) configuration
-
Go to Administration – Authentication – Single Sign-On (SSO), then click on Okta Single Sign-On (SSO). You will be directed to the configuration page.
-
Name your SSO configuration. This name will only appear in your Devolutions Hub SSO settings menu. The default name is "Okta".
Do not close this setup page, as the following steps will show you where to find the information to enter in its fields.
In Okta
-
Log in to your Okta account.
-
In Applications, click Create App Integration.
-
For the Sign-in method, select OIDC - OpenID Connect.
-
For the Application type, select Web Application.
-
Click Next. The New Web App Integration settings page will appear.
-
Under General Settings, enter an App integration name.
The app name does not need to match the one in Devolutions Hub. We recommend including either "Devolutions" or "Hub" in the name.
-
In Grant type, check Refresh Token and Implicit (hybrid).
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, copy the Callback URL by clicking on the Copy to Clipboard icon next to it.
In Okta
- Back in Okta, paste the Callback URL in the Sign-in redirect URIs field.
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, copy the Logout redirect URL by clicking on the Copy to Clipboard icon next to it.
In Okta
-
Back in Okta, paste the Logout redirect URL in the Sign-out redirect URIs field.
-
Under Assignments, select the Controlled access option that best suits your needs. This choice is left to your discretion.
If you choose to Allow everyone in your organization to access, do not check the Enable immediate access with Federation Broker Mode option, as doing so would prevent you from enabling SCIM provisioning in the future. If you choose to Limit access to selected groups or Skip group assignment for now, you must manually assign to this app the users you wish to authorize to connect to your Devolutions Hub Business via Okta.
-
Click Save. You will be redirected to your new SSO application.
-
Copy the Client ID by clicking on the Copy to clipboard icon next to it.
In Devolutions Hub Business
- Back on the Configure Single Sign-On (SSO) page, paste the Client ID from the last step in the field of the same name.
In Okta
- Back in Okta, copy the Client secret by clicking on the Copy to clipboard icon next to it.
Do not close this setup page, as the following steps will require you to make further changes in it.
In Devolutions Hub Business
-
Back on the Configure Single Sign-On (SSO) page, paste the Client secret from the last step in the Client secret Key field.
-
In Discovery URL, enter the URL you use to access Okta, without the "-admin" part.
Do not test the connection just yet, as a few additional steps are required in Okta.
In Okta
- Click Edit in the General Settings section.
- Set the Refresh token behavior to Rotate token after every use.
- Click Save.
- In the Assignment tab at the top, make sure each user you want to use to test the configuration is assigned to the application. For more details, see Okta's own documentation on user management and application assignment.
In Devolutions Hub Business
- Test the configuration in Devolutions Hub. A new window should open to connect you to Devolutions Hub through Okta. You will get a success message when connected.
If the popup page does not appear, see Devolutions login page does not open in the browser.
- Click Save in the Summary of your Okta SSO configuration.
You should now see that the SSO configuration has a green checkmark icon next to it. This means that your SSO configuration through Okta is now enabled on your hub.
Provisioning configuration
Synchronize your users and user groups from your providers to the hub.
Settings
This feature will be available soon!