# Okta Integration

## Okta integration instructions

By integrating Arnica with Okta single sign on (SSO) you can ensure that all users authenticating with Arnica are doing so through your organizations-managed Okta provisioning and de-provisioning.\
\
The setup of the integration requires taking steps on Arnica and Okta. Below are the details.

## Get organization ID in Arnica

1. Sign into Arnica <https://app.arnica.io/> and click on your avatar.

   <div align="center"><figure><img src="https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-4028c5588911a68457610cf51884f768c5e5e57f%2F2023-08-16%2012_15_28-Window.png?alt=media" alt="" width="414"><figcaption></figcaption></figure></div>
2. Select *Edit Account*
3. Copy the *Organization ID* (we will call it `YOUR_ARNICA_ORGANIZATION_ID` in the next steps in this guide).

<div align="center"><figure><img src="https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-a3d83934c89a34126a46606a7850af1bfcabf28b%2F2023-08-16%2012_19_29-Window.png?alt=media" alt="" width="375"><figcaption></figcaption></figure></div>

## Add app integration in Okta <a href="#h_da97c7ef24" id="h_da97c7ef24"></a>

The following steps must be completed by an Okta administrator:

1. Go to the following URL: https\://{YOUR\_OKTA\_ADMIN\_DOMAIN}.okta.com/admin/apps/active. For example: <https://company-admin.okta.com/admin/apps/active>. This page will result in a 404 error if you do not have permissions.
2. Click on *Create App Integration button.*
3. In the dialog that opens, select *SAML 2.0*\\

   <figure><img src="https://downloads.intercomcdn.com/i/o/773854810/3266d73e7b06511e769d1661/cc966173-98f9-4541-9541-63f95a4eb4c2" alt=""><figcaption></figcaption></figure>
4. In *General Settings*, set the following:

   *App name:* Arnica\
   \&#xNAN;*App logo*: you can download the logo from [here](https://app.arnica.io/img/ArnicaA-DarkMode-OnDark.png) and upload it to Okta\\

   <figure><img src="https://downloads.intercomcdn.com/i/o/773854969/c371389f6c1224d5e42722ea/06e102ad-6b65-4cea-aa15-acfa7a36bbe5" alt=""><figcaption></figcaption></figure>
5. In *Configure SAML* -> A: *SAML Settings*
   1. In *General*

      *A. Single sign-on URL*: enter `https://arnica-prod.us.auth0.com/login/callback?connection={YOUR_ARNICA_ORGANIZATION_ID}`

      *B. Audience URI (SP Entity ID)*: enter `urn:auth0:arnica-prod:{YOUR_ARNICA_ORGANIZATION_ID}`\
      C. Leave the other fields with their default value.
   2. In “Attribute Statements”: add the following mappings (These statements are case sensitive)

      | Name            | Name format | Value          |
      | --------------- | ----------- | -------------- |
      | email           | Unspecified | user.email     |
      | given\_name     | Unspecified | user.firstName |
      | family\_name    | Unspecified | user.lastName  |
      | email\_verified | Unspecified | `true`         |
   3. In "*Group Attribute Statements"*: add the following mapping:\\

      | Name   | Name format | Filter                 |
      | ------ | ----------- | ---------------------- |
      | groups | Unspecified | Starts with: `arnica-` |

      ![image](https://private-user-images.githubusercontent.com/8771525/328653027-17c48045-42a1-48ca-8216-5cf3bec2b0a4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkzMjE4ODIsIm5iZiI6MTcxOTMyMTU4MiwicGF0aCI6Ii84NzcxNTI1LzMyODY1MzAyNy0xN2M0ODA0NS00MmExLTQ4Y2EtODIxNi01Y2YzYmVjMmIwYTQucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDYyNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA2MjVUMTMxOTQyWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MmJkOWQxNWY5ZTc4MTUyMmUwMTA0ZmNlMGFjODc2NzA3MWIwNTM4YzMxYWM3ODZkODQ4ZmM1ZDNhMDkwMGEyZCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.rMi7ZmTW_JdrY6cQpdHDzGSlodbBwHPJ1shDEILQmfM)

      ⚠️ **IMPORTANT**: The filter must match the directory groups, i.e. for the above it will send only groups that start with `arnica-` (case sensetive)
   4. Click *Next*\
      (Though the section title says “Optional” this step is required for Arnica integration)
   5. In *Feedback*

      *A. Are you a customer or partner?* Mark “I'm an Okta customer adding an internal app”\\

      <figure><img src="https://downloads.intercomcdn.com/i/o/773857739/80f15aca848e602f8fa68186/98476910-06ac-481a-8c13-cd9f208407d7" alt=""><figcaption></figcaption></figure>

      B. Leave other fields empty and click *Finish*
6. Under *Sign On -> Settings -> Sign on methods -> SAML 2.0*, click on More details\\

   <figure><img src="https://downloads.intercomcdn.com/i/o/773857594/73c8a0cd13cecfd074dc3867/3f78d026-91ce-4fdc-a689-60b279d6a0cb" alt="" width="375"><figcaption></figcaption></figure>

   <figure><img src="https://downloads.intercomcdn.com/i/o/773857615/cef4e5e3ba822aa55076fb40/e0fe24ed-c5e0-4af1-b8a3-89da1310987a" alt=""><figcaption></figcaption></figure>

1\. Copy the Sign on URL

2\. Download the Signing Certificate

8. Send the following to <support@arnica.io>.
   1. Subject: SSO Onboarding Request
   2. Email domain: the domain for which you would like to setup SSO, e.g., yourcompany.com
   3. Arnica Organization ID: your arnica organization ID obtained earlier.
   4. Sign on URL: the Sign on URL from the step above.
   5. Attach the Signing Certificate from the step above.
   6. Leave a contact phone number and available times for Arnica’s customer success to help with the onboarding process.
   7. We are typically fast at responding to these requests, but please allow up to 1-2 business days to get confirmation.