This page provides information on how to configure Corporate Sign In to Chaos services with Okta.
Overview
In this section we explore how you can integrate your Okta identity provider with Chaos, so that your employees benefit from the Corporate Sign In functionality.
Prerequisites
Before doing the steps in this section, make sure to reach out to Chaos first to request the Corporate Sign In feature.
In order to proceed with configuring login with SSO through Okta, you must:
- Have administrative access to an Okta tenant
- Have a Chaos account with an active commercial subscription
Supported Features
Chaos supports the following features for Single Sign-On using OpenID Connect:
- SP-initiated SSO (Single Sign-On)
Chaos supports the following features for automated user provisioning using SCIM:
- Create users
- Update user attributes
- Deactivate users
- Import users
Features with limited support:
- Deleting users in Okta currently does not apply to the account in Chaos.
- When a user's primary email (login email) is changed, a new user is provisioned in Chaos
For more information on the listed features, visit the Okta Glossary.
Adding the Chaos Application to Okta
- Log in to your Okta portal and navigate to the Applications page.
- Select Browse App Catalog
- Search for the Chaos application and select it.
- From the Chaos app page, select ➕App Integration
- Enter Application label - Chaos, then click Done
Configuration by Chaos Support
As part of your initial request to Chaos Support, you will be asked to provide several configuration details.
- In the Sign On tab, under Settings, copy the Client ID and Client Secret
- Open the OpenID Provider Metadata link, and copy the Issuer URL
Provide the Issuer URL, Client ID, Client Secret, Domain name, and Chaos administrator account to Chaos Support
- Chaos Support team will perform the initial configuration as needed. After this is done, you can proceed with the next steps.
Configuring Okta for Single Sign-on to Chaos (OpenID Connect)
- From the application page, under the Assignments tab, use the Assign menu to assign people and groups to the application.
Configuring Okta for automatic user provisioning (SCIM)
- From the application page, under the General tab, click Edit on the App Settings section:
- Enter SCIM URL as provided by Chaos support
- Save
- Navigate to the Provisioning tab and click Configure API Integration
- Check Enable API Integration.
- Set API Token as provided by Chaos Support
- Click the Test API Credentials button to verify that the credentials are working
- Save
- Edit the Provisioning to App section:
- Enable Create Users, Update User Attributes, Deactivate Users
- Save
- Validate the Attribute Mappings as shown in the screenshot. Make sure that the following attribute mappings are defined as a minimum:
- Username, Given Name, Family Name, Email, Primary Email Type
Using the Single Sign-on (SP-initiated SSO)
After the Chaos application has been configured, users can use their corporate credentials to sign in to Chaos.
- From the Chaos Sign-in screen, select Continue with corporate email
- Enter your corporate email and click Next
- You will be redirected to the Okta sign in page, where you can use your corporate credentials to sign in
- If your credentials are valid, you will be will be logged into Chaos.
Troubleshooting
If you encounter any issues during the setup process, do not hesitate to reach out to Chaos Support.