*Version: 1.0 | Last Updated: 2025-03-13*
## Overview
- **Integration Name:** Okta
- **Purpose:** Integrating Okta to log into the MoovingON.AI platform
- **Audience:** Support team, TAM
- **Prerequisites:**
- A valid Okta account
- MoovingON AI account access with integration permissions
---
## Table of Contents
- [[#Setup Instructions]]
- [[#Configuration]]
- [[#FAQs]]
- [[#Related Links]]
---
## Setup Instructions
#### Notes
1. WARNING: Don’t try to enable SCIM before you verify that IdP is working. You can potentially be locked outside of the app. 2. For iDP-initiated SSO, the account in MoovingON AI and the account in the Okta Application Domain should share the same Email Address.
2. iDP-initiated SSO won’t work if the user in Okta doesn’t have a user in MoovingON AI. (Error 405)
#### Create an Okta application
First, we will have to create a new Okta Application.
1. On Okta, we’ll click on Applications >> Applications:
2. Click on Create App Integration.
3. Click on SAML 2.0 and then Next.
4. Now we’ll Add the following fields:
App name: MoovingON AI
App Logo:
Right-click to save it as
Afterwards, we click Next.
5. Fill the following fields:
- **Single sign-on URL:** https://<MoovingON AI rest endpoint>/sso/acs/
- **Audience URL (SP Entity ID) or Audience Restriction**:
https://<MoovingON AI rest endpoint>/sso/acs/<unique_identifer> (could be anything)
- **Default RelayState:** <the same unique_identifer from audience URL>
6. On Attribute Statements, Fill the following:
And click on Next.
7. Now that we have an app, we can use it to add it to MoovingON AI.
#### Okta IdP-Initiated SSO
1. On MoovingON AI, navigate to Settings >> Integrations.
2. On Add Integration, search for Okta and click on Add Okta.
3. Now, we’ll enter the same Entity ID that we set during the creation of the Okta Application.
4. To get the Metadata, we will go to the MoovingON AI Okta Application, switch to the Sign On tab and under SAML 2.0, We’ll see Metadata URL. Click the Copy button to copy it
5. We’ll enter the Metadata inside the field and leave SCIM 2.0 disabled.
(It’s important to verify that we can use Okta to login before we enable SCIM 2.0 as it can lock us outside of the app)
6. Click Submit and we are Done.
7. To verify functionality, login to the Okta Application Domain we used to create the application and go to the End User Dashboard.
Note: If the application does not appear on the screen, it means that the user is not assigned to the app.
8. Click on MoovingON AI. The Application will open without any need for a password
---
## Configuration
**Add Okta SCIM Integration **
1. On Okta Application Domain, go to **General >> App Settings** and click on **Edit**.
2. On Provisioning mark the checkbox for Enable SCIM Provisioning.
3. Now we’ll go to the **Provisioning** tab and click on Edit.
4. And we’ll fill the fields:
**SCIM connector base URL**: https://<MoovingON AI rest endpoint>/api/scim/v2
**Unique identifier field for users**: email
**Supported provisioning actions: **
![[Pasted image 20250313140354.png]]
5. Now also need to fill these:
**Basic Auth **
Username:
Password:
6. to do that, we’ll go to **MoovingON AI**, select the Okta integration we want to use and enable the **System for Cross-domain Identity Management (SCIM 2.0)** option
![[Pasted image 20250313140421.png]]
7. Now we’ll click on the **edit** button of that **Okta Integration** to get the credentials:
![[Pasted image 20250313140442.png]]
8. And then click **Submit.**
9. Back on **Provisioning** page on the **Okta Application Domain**, we will click on **Save**.
10. Now, under **Okta to App**, we will mark the following
![[Pasted image 20250313140557.png]]
1. and click on **Save**.
2. Now we’ll scroll down and click on **Profile Editor** (make sure you still under Okta to App)
3. Click on Add Attribute and fill the following:
**Data Type**: boolean
**Display name**: moovingon_ai_admin
**Variable name**: moovingon_ai_admin
**External name**: moovingon_ai_admin
**External namespace**: urn:ietf:params:scim:schemas:core:2.0:User
![[Pasted image 20250313140702.png]]
14. Now we’ll do it again for 2 more attributes:
**Data Type**: string
**Display name**: First Phone
**Variable name**: firstPhone
**External name**: firstPhone
**External namespace**: urn:ietf:params:scim:schemas:core:2.0:User
**Attribute length**: Less than 100
![[Pasted image 20250313140733.png]]
And..
**Data Type**: string
**Display name**: Second Phone
**Variable name**: secondPhone
**External name**: secondPhone
**External namespace**: urn:ietf:params:scim:schemas:core:2.0:User Attribute length: Less than 100
![[Pasted image 20250313140801.png]]
15. Now, we will click on the **Mappings** button. (make sure you still under **Okta to App**)
16. Change the following values depends if you want each user to set his phone for himself (**recommended**)
![[Pasted image 20250313140836.png]]
or (if you want to push the numbers that are already defined in each user
![[Pasted image 20250313140856.png]]
It’s important to mention that every phone number should start with a ‘+' and a country code. ex. ‘+972..’
17. We’ll change the menu to **To Okta** and scroll down to **Profile Editor**
18. Now we’ll click on **Add Attribute** to add **First Phone** and **Second Phone**
![[Pasted image 20250313140926.png]]
![[Pasted image 20250313140947.png]]
19. We’ll go back to **To Okta** menu, scroll down to **Okta Attribute Mappings** and we’ll set **First Phone** and **Second Phone** to have **User Permission** set to **Read-Write** and click **Save Attribute**.
![[Pasted image 20250313141008.png]]
**Add a MoovingON AI Administrator group **
1. On **Assignments** tab click on **Assign** and click again on **Assign to Groups**
2. Select the group you wish to add an **Administrator group** and click **Done**.
3. Then click on the **Edit** button and set **moovingon_ai_admin** to **true**
![[Pasted image 20250313141122.png]]
Click Save.
---
## FAQs
- **Q:** What is SCIM, and why is it important to verify IdP functionality before enabling it?
**A:** SCIM, which stands for System for Cross-domain Identity Management, is a standardized protocol for the exchange of user identity information between identity providers (IdPs) and service providers. Verifying IdP functionality before enabling SCIM is crucial to avoid potential lockout from the application. This preliminary validation ensures a seamless integration, preventing disruptions in user access and maintaining the security and efficiency of the identity management system.
- **Q:** Can IdP-initiated SSO function if the user in Okta lacks an account in MoovingON AI?
**A:** No, IdP-initiated Single Sign-On (SSO) will not work if the user in Okta does not have an account in MoovingON AI. To have this functionlity, we need to add SCIM Provisioning.
- **Q:** How can I verify the functionality of Okta IdP-Initiated SSO?
**A:** Log in to the Okta Application Domain, go to the End User Dashboard, and click on MoovingON AI. If the application doesn’t appear, check if the user is assigned to the app.
---
## Related Links
- **External Resources:** [Okta Documentation](https://help.okta.com/en-us/content/index.htm)