Okta as SSO provider

Snow Atlas supports configuring Okta as a single sign-on (SSO) provider.

Description

The Okta single sign-on application registration is configured using OpenID Connect (OIDC). The configuration options are already set with the permissions and settings required to function with Snow Atlas. You can also configure items such as user and access group assignments that you want to apply to this registration.

Supported features

  • ServiceProvider (SP) initiated SSO when you attempt to sign in from Snow Atlas

  • User provisioning to create the user on first sign in, when the feature is enabled in Snow Atlas

Requirements

  • The user is an Okta administrator.

  • The user is a Snow Atlas system administrator.

Application permissions

The following permissions are required by the Snow Atlas Okta single sign-on application registration:

Scope permission

Description

profile

Retrieves basic profile information about a user that is mapped to the user's profile in Snow Atlas

email

A user's primary email address that is used to sign in to Snow Atlas and as contact information

okta.users.read

The Okta scope for the user's read group membership that is used to map groups to Snow Atlas permissions.

This is for future group synchronization and will only be queried if the feature is configured.

Configuration required

You are required to configure Okta for Snow Atlas. You must add the Snow Atlas single sign-on app to your organization's Okta. For more information, see Add Snow Atlas as Okta app.

You also require the relevant Authority, client ID and client secret from the Snow Atlas SSO app in Okta, which you need to set up Okta as your SSO provider in Snow Atlas. For more information, see Find values to set up Okta SSO in Snow Atlas.

Claim mappings

The Okta given_name and family_name properties are mapped to the equivalent properties in Snow Atlas if they are not already populated