SSO integration configuration involves both Okta and OpsRamp platforms to configure redirects to your custom branding URL.

Prerequisites

  • Partners register with OpsRamp to get login credentials.
  • Provide a custom branding URL, such as .opsramp.com.

Configure Okta SSO integration

  1. Select Applications from the Applications menu.

  2. Search for the OpsRamp app and click the Add button.

  3. On the Add OpsRamp page in the General Settings - Required section, enter the website subdomain in the Subdomain field.

    You can find the subdomain on the Accounts > Clients page in the subdomain part of the Website URL. For example, it is the okta-cert part of okta-cert.app.opsramp.com.

  4. Click Done.

  5. From the Applications menu, select the OpsRamp app and review the settings on the Sign On tab.

  6. Select View Setup Instructions and configure the following:

    • Okta instructions Issuer URL
    • Redirection URL
    • Logout URL
    • Certificate
Single Sign-On Settings

Single Sign-On Settings

Configure OpsRamp SSO integration

  1. From All Clients, select a client.

  2. Go to Setup > Account.

  3. Select the Integrations and Apps tab.

  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.

  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also you can use the All Categories option to search.

  6. From Available Integrations and Apps, click +ADD on the Okta and click Install.

    SSO - Tenant unique prefix
  7. Enter:

    • Issuer URL: Identity provider Issuer URL
    • Redirection URL: SAML EndPoints for HTTP
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate

  8. (Optional) Provide user provisioning settings to enable JIT.se

  9. Provision Username as: There are two ways to provision a user:

    • Identify Provider’s Name Identifier option is selected by default. The user which is created in the SSO portal will reflect in OpsRamp.

    • Identify Provider’s Name Identifier with OpsRamp tenant-unique prefix: This option allows you to:

      • Create usernames with a unique 3-digit alphanumeric prefix, that is generated automatically by the system.
      • Install the same identity provider across multiple OpsRamp tenants.
        Note: Once you enable this option and install the integration, you cannot revert your changes.
        Example: There are three partners, Partner P1, P2, and P3. Each partner has usernames created with unique 3-digit alphanumeric prefix, like g0z.username1 for partner P1, p0w.username1 for partner P2, and t9q.username1 for partner P3.

      After installing the integration, when you click the integration name in the Configuration tab, the User Provision section will show the unique tenant prefix.

      User Provision - Tenant prefix
  10. Click Install.

    User Provision:

    • Select the following details and click Save:
    • Provision Type: SCIM. When configuring the integration it is necessary to select the Provision Type - SCIM to synchronize users and groups when provisioning occurs. If you select provision type as JIT, JIT user is created during user login.
    • Default Role: The required user role.

  11. Copy the URL and Token information. These details are used when configuring Azure AD Provisioning settings.

  12. Define the following Map Attributes:

    Role mapping is required for groups and users.

    User:

    1. Select OpsRamp Entity as User and OpsRamp Property as Role.
    1. Click +. The Create User Mapping on Role popup is displayed.

    a. Third-party Entity: Enter the value.
    b. Third-party Property: Enter the value.
    OpsRamp Entity and OpsRamp Property are populated automatically.
    Under Add Property Values:
    c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
    d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
    e. Click Save. The mapping is saved and displayed.

    Similarly, map attributes for other entities like First Name, Last Name, Mobile Number, Phone, Email, etc.

    User Group:

    1. Select OpsRamp Entity as User Group and OpsRamp Property as Role.
    1. Click +. The Create User Group Mapping on Role popup is displayed.

    a. Third-party Entity: Enter the value.
    b. Third-party Property: Enter the value.
    OpsRamp Entity and OpsRamp Property are populated automatically.
    Under Add Property Values:
    c. Third-party Property Value: Enter the value that is coming from Azure side (from the payload).
    d. OpsRamp Property Value: Select the appropriate role corresponding to the Third-party Property Value. To add more property values click +.
    e. Click Save. The mapping is saved and displayed.

If the Role is not configured in Map Attributes section, the Default Role provided in User Provision is considered for SSO.

Verification SSO integration

  1. From the Okta console, go to the OpsRamp Application.
  2. Click Sign On, and click View Setup Instructions.
  3. Verify the following settings:
    • Issuer URL: Identity Provider Issuer URL
    • Redirection URL: Identity Provider SSO URL
    • Logout URL: URL for logging out
    • Certificate: x.509 Certificate

Provision a user

After configuring the OpsRamp-Okta integration, you can provision users.

In the OpsRamp UI …

  1. Navigate to the Accounts > Clients page.
  2. Click Okta client and copy the subdomain part of the Website URL, which you need to specify the subdomain in Okta. For example, copy the okta-cert part of okta-cert.app.opsramp.com.

Prepare to install.

  1. In Integrations > Integrations, click the SSO button to display the available SSO integrations.
  2. Click the Okta icon.
  3. Click the Install button. Continue on the Okta to get the integration parameters needed.

On the Okta console …

Enter the OpsRamp subdomain:

  1. Select Applications from the Applications menu.
  2. Click the Add button.
  3. On the Add OpsRamp page in the General Settings - Required section, enter the website URL copied from OpsRamp in the Subdomain field: okta-cert.
  4. Click Done.

Set up the sign-on method:

  1. Select Applications from the Applications menu.

  2. Select the Sign On tab.

  3. Scroll down and click the View Setup Instructions button to configure SAML 2.0 for OpsRamp.

  4. From step six of the setup instructions, copy and save the values in the following fields:

    • Issuer
    • redirection URL
    • logout URL
    • certificate

In the OpsRamp UI …

  1. Returning to the Install Okta Integration screen, enter the information copied from Okta:
  • Issuer URL
  • Redirection URL
  • Logout URL
  • Certificate
  1. Click Install
  2. On the OKTA INTEGRATION page Configuration tab Properties section, verify the Issuer URL, Redirection URL, and Logout URL. The Provision Type should be SCIM.
  3. In the User Provision section, copy and save the URL and Token for the Okta base URL and API token fields.

On the Okta console …

Provision the user:

  1. On the Applications > Integration page, click the Provisioning tab.
  2. Scroll down and click Configure API Integration.
  3. Select Enable API integration.
  4. Enter the Base URL and the API Token copied from OpsRamp instructions.
  5. Click Test API Credentials. Successful credential verification displays the OpsRamp was verified successful! message.
  6. Click Save. On success, Provisioning settings saved! is displayed.

Add a user.

  1. Click the Assignments tab.
  2. Open another Okta console in a new tab and navigate to Directory > People.
  3. Click Add Person
  4. Enter the required and any optional personal information in the provided fields. The Username must be an email address.
  5. For the Password field, choose Set by admin and enter a password.
  6. Click Save. A Person added! message displays.

Enable user provisioning.

  1. Navigate to Applications > Applications and choose the Provisioning tab.

  2. In the Provisioning to App panel, click Edit.

  3. Select Create User - Enable, Update User Attributes - Enable, and Deactivate Users - Enable.

  4. Select the following Enable options to complete the provisioning setup.

    • Create Users
    • Update User Attributes
    • Deactivate Users
  5. Click Save and wait for application setup verification. On success, a Provisioning settings saved! message displays.

Assign the OpsRamp application to the user.

  1. Return to the first tab and, from the Assign drop-down menu, choose Assign to People.
  2. Use the search bar to search for the user you added in the other Okta console.
  3. Find the entry for the user from the search results and click Assign.
  4. In the Assigned Applications section, click the Assign Applications button.
  5. Click OpsRamp in the application list.
  6. In the Applications > Assignments tab, click the Assign button and choose Assign to People.
  7. Find OpsRamp in the list and click Assign.
  8. For the user you want to assign to the OpsRamp application, click Assign.
  9. Edit the user information field you want to change and click Save and Go Back.
  10. Click Done to complete assigning users. The 1 person assigned successfully message displays.

In the OpsRamp UI …

Navigate to Accounts > Users and, after a short delay, see that the provisioned Okta user is added to the user list.

Unprovision a user

On the Okta console …

  1. Choose the Assignments tab.
  2. Click the X for the user to delete in the user list.
  3. Click OK to confirm that you want to unassign the user.

In the OpsRamp UI …

Refresh the Accounts > Users page to confirm the user is deleted from the list.

Notes:

  • Changes to the token used in the SCIM user provision case should not be changed since it will prevent users from being updated or created.
  • Username created should be unique across clients.