Documentation
Start typing to search…

Okta

Configure Single Sign-On between Sublime and Okta

SAML Configuration

Below are the steps for setting up SAML with Okta.

Obtain Your Sublime Single Sign-on URL

  1. Sign in to your Sublime instance. Navigate to Admin > Account
  2. Scroll down and under the Authentication section, click the pencil icon next to SAML
  3. Copy/take note of the Single Sign-on URL. You'll use this URL in the next section when configuring SAML for your Okta application.

Okta Configuration

  1. Sign into your Okta admin console
  2. On the left-side navigation bar, navigate to Applications > Applications
  3. Select Create App Integration
  4. In the modal that opens, select Sign-in method of SAML 2.0
  1. Click Next
  2. Provide an App name, such as "Sublime Platform"
  3. Optionally add a logo. You can download the Sublime logo here.
  4. Click Next
  5. For Single sign-on URL, paste the Single Sign-on URL you copied from the Sublime dashboard
  6. Be sure Use this for Recipient URL and Destination URL is checked
  7. For Audience URI (SP Entity ID), also paste the Single Sign-on URL you copied from the Sublime dashboard
  8. For Name ID format, select Email Address
  9. For Update application username on, select Create and update
  10. Leave all other settings as their defaults
Example completed configuration

Example completed configuration

  1. Click Next
  2. Click Finish
  3. Click the Sign On tab of the new Okta app
  4. Copy the Metadata URL
Metadata URL to be used for Sublime

Metadata URL to be used for Sublime

Add SAML Settings to Sublime

  1. In Sublime, navigate to Admin > Account
  2. Under Authentication, click the button next to SAML
  3. Under Metadata URL, paste the metadata URL you copied from Okta
  4. Click Save

Test SAML Configuration

  1. Add/Ensure the expected user(s) to test are present in both the Sublime Console and the Okta Sublime Application.
  2. In the Single sign-on section of the the Sublime Enterprise app, Click Test and then Test Sign-on
    1. If successful, you can now change the Sublime Allowed methods config to disable username/password login.
    2. If unsuccessful, please double check all fields with URL values across both platforms and contact us if you're still running into any issues 👋

OIDC Configuration

Below are the steps for obtaining OIDC settings via Okta.

Open the OIDC settings modal in Sublime

  1. Sign in to your Sublime instance. Navigate to Admin > Account
  2. Scroll down and under the Authentication section, click the pencil icon next to Open ID Connect
  3. Copy/take note of the Redirect URI. You'll use this URL in the next section when configuring OIDC for your Okta application.

Okta Configuration

  1. Sign into your Okta admin console
  2. On the left-side navigation bar, navigate to Applications > Applications
  3. Click Create App Integration
  4. In the modal that opens, select Sign-in method of OIDC - OpenID Connect
  5. Select Application type of Web Application
  1. Click Next
  2. Provide an App integration name, such as "Sublime Platform"
  3. Optionally add a logo. You can download the Sublime logo here.
  4. In the Grant type section, under "Advanced" select Implicit (Hybrid)
  1. In Sign-in redirect URIs, paste the Redirect URI from Sublime
  2. Remove the default entry in Sign-out redirect URIs
  3. In the Controlled access section, select your preferred option
  4. Click Save
  5. Click the Edit button in the General Settings section
  6. In Login initiated by, select Either Okta or App
  7. In Initiate login URI, paste the Initiate login URL from Sublime
  8. Next to Application visibility, check Display application icon to users and optionally check Display application icon in the Okta Mobile app
  9. Click Save
  1. Note the Client ID and Client Secret from the current page

  1. Click the Sign On tab

    1. Note the Issuer URL under OpenID Connect ID Token
    2. Ensure the Issuer URL is set to Okta URL

  2. You'll use the Client ID, Client Secret, and Issuer URL you noted in the next section.

Add OIDC Settings to Sublime

  1. Log into the Sublime Platform
  2. Navigate to Admin > Account
  3. Under Authentication, click the button next to Open ID Connect
  4. Enter your OIDC Issuer URL, Client ID, and Client Secret
  1. Click the Save button

Test OIDC Configuration

You should now be able to sign into Sublime via Okta. You can verify the integration is working by either selecting the Sublime Platform application in Okta, or by loading the Initiate login URL from your OIDC settings in Sublime.

📘

Matching User Required

For a user to successfully sign into Sublime with your OIDC identity provider, there must already be a matching user with the same email address in Sublime.

(Optional) Configure SCIM for automated user lifecycle management

Sublime's SCIM API allows you to provision, update, and de-provision Sublime users from Okta, including managing each user's Sublime role.

📘

Sublime and identity provider admin required

To integrate with SCIM, you'll need to be an administrator for both Sublime and Okta, or get the help of an admin for each.

The following SCIM features are currently supported:

  • Create Users
  • Update Users
  • Deactivate Users

Gather Sublime info

To integrate Okta with SCIM, you'll need the following from the Sublime dashboard:

  1. The SCIM API base URL for your Sublime instance:
    1. In Sublime, navigate to the API page
    2. Copy the Base URL. For example, Sublime Cloud's US region has the API base URL https://platform.sublime.security
    3. Append /v0/scim to the base URL to construct a SCIM API base URL like https://platform.sublime.security/v0/scim
    4. Hold onto this URL
  2. An API key for a Sublime admin:
    1. In Sublime, navigate to the API page
    2. Click New Key
    3. Enter a key name, such as "SCIM Integration"
    4. Click Save
    5. Copy and hold onto the new key

Add SCIM provisioning to the Okta app

  1. Go to the overview page for the Okta application you created
  2. Click the General tab
  3. In the App Settings section, click Edit
  4. Check Enable SCIM provisioning
  5. Click Save
  6. Click the Provisioning tab that appears
  7. Click Edit
  8. For SCIM connector base URL, enter https://platform.sublime.security/v0/scim
  9. For Unique identifier field for users, enter userName
  10. For Supported provisioning actions, check:
    1. Import New Users and Profile Updates
    2. Push New Users
    3. Push Profile Updates
  11. For Authentication Mode, select HTTP Header
  12. For Authorization, enter the Sublime API key you created
  13. Click Test Connector Configuration and confirm you get a Connector configured successfully message
  14. Close the Test Connector Configuration modal
  15. Click Save
  16. Click the To App subtab
  17. In the Provisioning to App section, click Edit
  18. Check Enable for:
    1. Create Users
    2. Update User Attributes
    3. Deactivate Users
  19. Click Save
  20. Under Sublime Platform Attribute Mappings, update the mappings as follows. You should only need to remove some of the default mappings.
  1. Leave all other provisioning settings unchanged

Map Okta groups to Sublime roles

  1. In Okta, go to Directory > Profile Editor
  2. Under the Users tab, click your Sublime Okta app
  3. Click Add Attribute
  4. Add a new attribute with these properties:
    1. Data type: string
    2. Display name: Sublime Role
    3. Variable name: sublimeRole
    4. External name: sublimeRole
    5. External namespace: urn:ietf:params:scim:schemas:core:2.0:User
    6. Enum: checked, with these options:
      1. Admin: admin
      2. Engineer: engineer
      3. Analyst: analyst
    7. Attribute length: between 0 and 50
    8. Attribute required: unchecked
    9. Attribute type: Group
  1. Click Save

When assigning a group to the Okta app, you can now attach a Sublime role:


Updated 7 days ago