Okta Setup

In order to control access to the Syncly web app we support various federation providers, this page outlines how to do this via OKTA.

In each case, the IdP will need to set the redirect uri to the server picked when setting up the web app. The four roles 'User', 'System.Admin', 'Admin', 'Plugin.User' need to added into the provider and users assigned to them (For more information about roles please read this) . Note that we also have the ability to map group claims to roles via application configuration.

1.  Create a new app integration in OKTA, select Sing-in method “OIDC - OpenID Connect” & Application type “Web Application”; Give it a name “Syncly App” and 
2. Assign the Sign-in redirect URIs provided to you. This will be in the format of https://company_name.syncly.io/signin-oidc
   Remove Sign-out redirect URIs as it not required. Select “Skip group assignment for now”.
   
3. Create Groups in OKTA:Create the following four groups in OKTA, Go to  Directory -> Groups: 
   1. SynclyRoles.User
   2. SynclyRoles.Admin
   3. SynclyRoles.SystemAdmin
   4. SynclyRoles.PluginUser
4. NOTE: When configuring a Regex-based Groups Claim (using the "Filter" claim type) in OpenID Connect, only groups that are created and local to Okta (Okta native groups) will be matched and included in the claim. AD-Synced groups, or any groups imported from outside of Okta, will not be matched by the Groups "Filter" claim type and therefore will not appear in the claim.

To include AD-Synced Groups in your Groups claim, you need to use a Groups Expression instead of a Filter. The Groups Expression allows you to specify the source (such as "active_directory") and retrieve both Okta and AD groups as needed.

Fore more details and a step-by-step guidance, you can refer to Oktas support articles:

• Why isn’t my Groups claim returning Active Directory groups: https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups
• How to retrieve both Active Directory and Okta groups in OpenID Connect claims: https://support.okta.com/help/s/article/Can-we-retrieve-both-Active-Directory-and-Okta-groups-in-OpenID-Connect-claims 
  

1. Assign Groups to Syncly App: Navigate to Applications you created in step 1-> Assignment tab, and assign all four groups to the application.
   
2.  Update OpenID Connect ID Token: Go to Applications you create in step1 -> Sign-On tab, Edit the OpenID Connect ID Token, and update the Group Claim filter to "groups, " "Matches regex, " and "SynclyRoles.*”  
   
3. We then need to be provided with the following details:
   1. Client ID
   2. CLIENT SECRETS
   3. Your OKTA URL
4. You are finished!