This page gives best practices on how to configure your Okta when configuring it for SSO with LeanIX. Thanks to a very helpful customer, we were able to provide you with this guide.
Request an SSO setup
Follow this link to directly request an SSO setup for your workspace(s).
Please make sure to read the general SSO guide first. The general process is defined there, while this page gives configuration details for Okta.
- As a first step, you will add a new application.
- Then you select platform type 'Web' and sign on method 'SAML 2.0'.
- You can now choose a name for the application (e.g., ''LeanIX) and a logo. Download a suitable product logo from our media kit.
Under SAML Settings, insert the following:
Sign-on URL: https://<yourleanixdomain>.leanix.net/Shibboleth.sso/SAML2/POST
Audience URI: https://<yourleanixdomain>.leanix.net/Shibboleth.sso
Name ID Format should be EmailAddress
The Application username depends on your Okta Implementation. If the Okta username matches the LeanIX e-mail, you can choose the following configuration.
In the bottom part of the SAML settings, you specify the attributes being inserted inside the SAML assertion.
All lines are case-sensitive. The first objects are values that already exist on the user object. The role object will be specified when assigning the user groups to the application.
Finalize the setup by specifying the App type as 'internal', then select finish.
Change the profile mappings.
Click 'Cancel' on the following screen.
On the following screen, you will be able to add a new attribute.
Name the new attribute “role” like the attribute you already inserted inside the SAML assertion.
To help the Okta Admin with the assignment, you create a dropdown list of values instead of letting them write the value as text. These values correspond to the LeanIX default roles but can, of course, be altered according to your needs.
As the last step, you would now like to assign the people who would use the LeanIX application. Under the 'Assignments' category, choose Assign to Groups.
Now you are able to choose the role for a specific Okta or Active Directory Group inside the Assignment.
If required, MFA or other policies can be set under the Sign on Policy section.
For SMP roles, please see the SMP user role mapping section.
Updated 5 days ago