5.1.7.3.2. OKTA authentication via LDAP

The following section outlines the configuration of SAFEQ Cloud integrated with OKTA through LDAP.

Add a new LDAP authentication provider in the SAFEQ Cloud authentication settings, and enter the following details:

Name
An internal name used for identifying the particular authentication provider configuration

Domains
The domain names of the server. It should be the domain part of user names.
When adding a new access control entry for an OKTA authentication provider, the users or the groups from Access Control must contain the same domain as the domain name defined for that OKTA authentication provider.
For example, if the domain name of OKTA authentication provider is okta.domain.com, then the user added in Access Control should be user@okta.domain.com.

*Specifying the correct domain name is especially important if using the Strict domain validation feature as it is otherwise not possible to detect to which domain a user belongs.

Priority
A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be called first.

Active
Toggle if the authentication provider should be used for authentication or not. If unchecked, this authentication provider will not be searched.

Base DN
The point in the OKTA where searching will begin. Will apply to both user and group searching, if Group Base DN is empty.

Server name
The actual address (DNS, hostname or IP) of the OKTA server to which SAFEQ Cloud Authentication Service will connect to search.

Port
Port used for the service, 636 must be in this case.

Username
Username used to connect and search in the OKTA.

Password
Password used to connect and search in the OKTA.

OUs or groups
Choose how to identify groups, for access control management, default is “Groups”.

Bind type
Whether to bind with Plain connection, MD5 digest or Kerberos

Enable SSL
Whether connection to OKTA should use SSL encryption. In this case it must be enabled.

Custom attributes
Expand custom attributes to change the LDAP attributes in which username, card ID’s, ShortID’s and similar are stored. The login name and email must have “uid” value.

Service
Which Authentication Service will communicate to this OKTA server via LDAP. In case no service is already created, it can be added using the Add button.