Provides the steps required to provision users from Okta to Sobol

 

Features

Sobol supports SCIM version 2.0 out of the box and provides the following features:

  • Import Users - quickly synchronize your users between Sobol and Okta
  • Create New Users - create new users in Okta and push them to Sobol
  • Profile Updates - update users in Okta and sync those updates to Sobol
  • Deactivate Users - deactivate users in Okta and reflect those changes in Sobol
  • Reactivate Users - reactivate users in Okta and follow suit in Sobol

 

Requirements

  • You must already be a user and have administrative access to Sobol
  • You must have access to Okta with sufficient permissions to install applications
  • Your org must be an enterprise organization
  • You must take note of your organization’s ID (ORG_ID)
  • You must map the Unique Identifier with your user’s email address

Please refer to the Troubleshooting Tips for additional information on the above.

If for any reason you need help, please contact support@sobol.io.

 

Steps

 

Install Sobol Okta App

To configure a new SCIM connection in Okta:

  • Log into your instance of Okta and click on Applications page in the left hand menu
  • Click "Browse App Catalog" and search for "Sobol"
  • Click on "Add" and then click "Done"

 

Single Sign On Setup

 

Configure Okta

  • In Okta, navigate to your Sobol App installed on the previous step and click on the "Sign On " tab.
  • Under the SAML 2.0 heading, click on "View Setup Instructions" (you will need this in the next step).

 

Configure Sobol

  • Please login to Sobol at https://sobol.io/d/login
  • As an administrator, please navigate to “Settings” -> “Applications
  • Click “Add Application
  • A modal will open with the app marketplace.
  • Please install the "SAML" app.
  • Once installed and the app drawer opens, enter the following information from Okta:
    • "Endpoint" -> "Endpoint"
    • "Identity Provider entityr" -> "Entity"
    • "Certificate" => "Certificate"
  • Click "Test Connection" and verify the following:
    • You get logged out of Sobol
    • You get redirected to Okta
    • You get redirected and logged back into Sobol

 

User Provisioning Setup

 

Configure Sobol

  • Please login to Sobol at https://sobol.io/d/login
  • As an administrator, please navigate to “Settings” -> “Applications
  • Click “Add Application
  • A modal will open with the app marketplace
  • Please install the "SCIM" app
  • Once installed and the app drawer opens, copy the API Key for use in Okta

 

Configure Okta

To configure a new SCIM connection in Okta:

  • Log into your instance of Okta and click on Admin button followed by Applications tab
  • Locate “Sobol” in your applications list and click to edit the settings
  • Under the “Sign On” tab, ensure Application username format is set to “Email
  • Under the “Provisioning” tab, click Configure API Integration
  • Next, check the Enable API integration box
  • Enter the API Key that you created and copied in Sobol
  • Click Test API Credentials; if successful, a verification message will appear on the screen. If unsuccessful, please contact support@sobol.io.
  • Click "Save"
  • Select "To App" in the left panel, then select the 'Provisioning Features" you want to enable
  • Click "Save"

 

Troubleshooting Tips

  • Sobol Account: You MUST have a Sobol account and have administrative access in order to set up SSO. If for any reason you do not have the following, please contact support@sobol.io.
  • Sobol Org: You MUST have a Sobol Enterprise Organization. Contact support@sobol.io if you do not have this.
  • Org ID: Configuring SAML or SCIM requires the use of your tenant’s ORG_ID. To obtain one, take note at the URL when using your instance of Sobol: https://sobol.io/d/[ORG_ID]/structure?view=circles.
  • Terms:
    • Identity Provider (IdP) - this can be Okta, AzureAD, or OneLogin
    • Service Provider (SP) - this is Sobol

 

SAML Troubleshooting

  • SAML Endpoint: All SAML endpoints for your organization are housed under the following URL scheme: https://sobol.io/d/saml/v2/callback?orgId=[ORG_ID]
  • Unique Identifier: all users mapped across Sobol and Okta use their email to uniquely identify them. Please ensure that your nameID is mapped to the user’s email

 

SCIM Troubleshooting

  • SCIM Endpoint: All SCIM endpoints for your organization are housed under the following URL scheme: https://sobol.io/d/scim/v2/org/[ORG_ID]
  • Authentication Formats: Sobol supports Header Authentication (Bearer Token) using keys available in both HS256 and RS256 JWT formats. Some services such as AzureAD require smaller, more lean keys in which case please use HS256
  • Supported Mappings: as of now, Sobol ONLY supports the provisioning of the following attributes:
    • First Name - firstName
    • Last Name - lastName
    • Email - email
  • Unique Identifier: all users mapped across Sobol and Azure use their email to uniquely identify them. Please make sure that the SCIM email property is mapped correctly to your user’s email
  • Email Type - we currently do not support the `emailType` attribute and default this value to “work” as part of our SCIM responses

 

Support

At Sobol, we are here to help you. If for whatever reason you are not successful with these instructions, please reach out to support@sobol.io.