The following section outlines the configuration of SAFEQ Cloud integrated with OKTA through LDAP.
Add a new LDAP authentication provider in the SAFEQ Cloud authentication settings, and enter the following details:
- Name – An internal name used for identifying the particular authentication provider configuration.
Domains – The domain names of the server. It should be the domain part of user names. When adding a new access control entry for an OKTA authentication provider, the users or the groups from Access Control must contain the same domain as the domain name defined for that OKTA authentication provider. For example, if the domain name of OKTA authentication provider is okta.domain.com, then the user added in Access Control should be firstname.lastname@example.org.Specifying the correct domain name is especially important if using the Strict domain validation feature as it is otherwise not possible to detect to which domain a user belongs.
- Priority – A number that determines the order in which authentication providers will be called until one succeeds. Higher-priority providers will be called first.
- Active – If enabled, the authentication provider will be used for authentication. If disabled, this authentication provider will not be searched.
- Base DN – The point in the OKTA where searching will begin. Will apply to both user and group searching, if Group Base DN is empty.
- Server name – The address (DNS, hostname or IP) of the OKTA server to which SAFEQ Cloud Authentication Service will connect to search.
- Port – Port used for the service, 636 must be in this case.
- Username – The username used to connect and search in the OKTA.
- Password – Password used to connect and search in the OKTA.
- OUs or groups – Choose how to identify groups, for access control management, default is “Groups”.
- Bind type – Whether to bind with Plain connection, MD5 digest, or Kerberos
- Enable SSL – Whether connection to OKTA should use SSL encryption. In this case, it must be enabled.
- Custom attributes – Expand custom attributes to change the LDAP attributes in which username, card ID’s, ShortID’s and similar are stored. The login name and email must have “uid” value.
- Service – Which Authentication Service will communicate to this OKTA server via LDAP. If no service is already created, it can be added using the Add button.