All Collections
Exporting/Syncing Emails
How to integrate with Okta (standard SAML+SCIM)?
How to integrate with Okta (standard SAML+SCIM)?

Learn how to integrate with Okta

Gergely Nagy avatar
Written by Gergely Nagy
Updated over a week ago

In this article, you will learn how to integrate Chamaileons' user access management and access control with Okta or with any other identity provider that implements SAML and SCIM interfaces.

Having your workspace integrated with Okta, organization member accounts can be provisioned from your identity provider, and users can log in to Chamaileon with SSO.

SAML setup in Chamaileon.

SAML setup in Chamaileon is an add-on that can be added to your plan. To enable this feature, you will need to reach out to Chamaileon support.

Here is what we will go through in this detailed article:

SAML Setup in Chamaileon

  1. To set up SAML in Chamaileon, on the Invite & manage members page, open the SAML setup modal by clicking SAML SETUP in the top right-hand corner.

2. You will find the Your login URL field and the User Management field prefilled.

  • Chamaileon prefers SCIM user management because it allows you to manage users as much as possible from Okta without opening Chamaileon.

  • Your login URL will need you later when you create a bookmark for this application.

3. Get your SAML metadata URL from your identity provider and copy it here. You can get it from Okta by creating an application.

4. Click SAVE SETTINGS to set up the connection.

5. In the case of SCIM user management please continue with Set up SCIM connection

6. In the case of SAML-only user management please continue with assigning users or groups to your workspace and creating the bookmark.

Create an Okta application and get the SAML metadata URL

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Click Create App Integration.

  3. Select SAML 2.0 and click Next.

  4. In the General Settings, enter the App name and check both App visibility options to hide this application.

    • We recommend using bookmarks because of security reasons (men-in-middle attacks).

  5. Click Next.

  6. On the Configure SAML tab, in the General settings set:

  7. On the same tab in the Attribute Statements section, copy http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress to the Name field and copy user.email to the Value field.

    • If you choose SAML-only as User Management during the SAML setup in Chamaileon then add the following Name, Value pairs too:

      • displayName as Name and user.displayName as Value

      • firstName as Name and user.firstName as Value

      • lastName as Name and user.lastName as Value

  8. On the same tab, we can leave the Group Attribute Statements empty

    1. If you choose SAML-only as User Management during the SAML setup in Chamaileon then add the following Name, Value pairs too:

      • groups as Name, Matches regex as Filter and .* as Value

  9. Click Next.

  10. On the Feedback tab, select I’m an Okta customer adding an internal app.

    Everything else is optional.

  11. Click Finish.

  12. You’ll find yourself on the Sign On tab. Please copy the link address of the View IdP metadata under the active certificate's Actions dropdown and get back to the third step of the SAML setup in Chamaileon.

Set up SCIM connection

After you went through the list of the SAML setup in Chamaileon and the list of the Create an Okta application and get the SAML metadata URL, you’ll get the SAML settings like this picture below. We will need to copy a few fields from there during setting up SCIM in Okta.

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Search for or scroll down to the app integration that you created for Chamaileon.

  3. Click the individual app integration to view its settings page.

  4. Select the General tab.

  5. Edit the App Settings.

  6. Enable the Enable SCIM provisioning option and click Save.

7. Select the new Provisioning tab.

8. Edit the SCIM Connection:

  • copy SCIM URL from Chamaileon to the SCIM connector base URL field

  • set Unique identifier field for users to userName

  • Enable the first four options under Supported provisioning actions:

    • Import New Users and Profile Updates

    • Push New Users

    • Push Profile Updates

    • Push Groups

  • Switch Authentication Mode to HTTP Header

  • Copy SCIM API Key from Chamaileon to the Authorization field

9. Click Save.

10. Under the Provisioning tab, in the To App settings, edit the Provisioning to App page.

11. Enable the first three actions:

  • Create Users

  • Update User Attributes

  • Deactivate Users

12. Click Save.

13. SCIM connection is ready, don’t forget to

Assign

In the case of SCIM user management assigning a group means adding every user from a group to Chamaileon. Without pushing groups, users will be added to the workspace with the role called Viewer. Viewers can’t change anything in your workspace.

In the case of SAML-only user management assigning a group means letting users into Chamaileon. Users will be added to your workspace and appear there right after they are logged in via Bookmark.

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Search for or scroll down to the app integration that you want to assign to one or more groups.

  3. Click the Action drop-down menu on the right side of the app integration.

  4. Choose Assign to Groups.

  5. On the dialog that appears, click Assign next to the name of the group.

  6. Assign more groups, or click Done.

  7. If the Invite & manage members page in Chamaileon is already open then please refresh it.

Be sure that you assign the same groups to your Chamaileon application and Chamaileon bookmark.

Push

In the case of SCIM user management pushing a group means making it available to add Chamaileon roles to the pushed groups in Chamaileon.

In the case of SAML-only user management pushing a group isn’t available.

  1. In the Okta Admin Console, go to Applications > Applications.

  2. Search for or scroll down to the app integration that you want to push to one or more groups.

  3. Click the individual app integration to view its settings page.

  4. Select the Push Groups tab.

  5. Click the Push Groups drop-down menu on the left side.

  6. Choose Find groups by name.

  7. Enter the name of the groups you want to push into Chamaileon and select them.

  8. Click Save.

  9. If the Invite & manage members page in Chamaileon is already open then please refresh it.

  10. If you assigned and pushed the same group(s), you’ll find the SAML Groups accordion on the Invite & manage members page.

  11. After changing a group’s Chamaileon Role, you’ll need to save your changes.

Bookmark for Okta Application

We recommend creating a bookmark because during the creation of the Chamaileon Application we hid it from Okta users because of security reasons.

Okta and several other providers support IdP-initiated login flow when a user can directly log in to a SAML application from the identity provider. However, the IdP-initiated login is not supported by Chamaileon for security reasons (men-in-middle attacks).

To achieve a slightly similar behavior, we recommend hiding the Chamaileon app from the end-users, and adding a bookmark app with a login link to your Chamaileon login page.

In the case of SAML-only user management, using the Your login URL from the SAML settings modal is the only way to log in with the assigned user for the first time.

Create a Bookmark App integration

  1. In the Admin Console, go to Applications > Applications.

  2. Click Browse App Catalog.

  3. In the Search... field, enter Bookmark App. Click on the app integration called Bookmark App.

  4. Click Add to create a new Bookmark App.

  5. In the General Settings for the Bookmark App, enter a label for the external application and the URL of the login page for the app.

  6. Click Done to create the Bookmark App.

Assign groups to the bookmark from the Applications page

It is important to assign the same groups to the Chamaileon Application and the Chamaileon Bookmark to avoid misunderstanding.

  1. In the Admin Console, go to Applications > Applications.

  2. Search for or scroll down to the app integration that you want to assign to one or more groups.

  3. Click the Action drop-down menu on the right side of the app integration.

  4. Choose Assign to Groups.

  5. On the dialog that appears, click Assign next to the name of the group.

  6. Assign more users or groups, or click Done.

Change a Bookmark App integration icon

You can add a custom logo to use as the application icon for your app integration.

A custom logo must meet the following requirements:

  • The image type must be PNG, JPG, or GIF (PNG is recommended)

  • Image dimensions should be at least 420 pixels by 120 pixels to prevent visual scaling issues

  • Image size must be less than 1 MB in size

  1. Click the pencil icon at the top right corner of the star icon to open the Edit Logo dialog.

  2. In the Edit Logo dialog, click Browse. Locate and select the image to use as the application icon and click Open.

  3. Click Update Logo to upload and set the application icon

  4. Click Close.

Let us know if you have more questions about this!

Did this answer your question?