Connect to Okta

Okta provides secure services for user identity and authentication that are based on System for Cross-domain Identity Management (SCIM) 2.0 and OpenID Connect (OIDC) protocol.

You can integrate and connect Knox Manage with Okta services using the cloud-based Knox Manage MDM app available on the Okta portal. When connected and configured, the user and group information in your Okta tenant is synced with Knox Manage.

Consider the following while integrating with Okta:

• Syncing of organizations isn’t currently supported.

• User authentication is executed directly by Okta.

• Multi-factor authentication (MFA) is supported and set up in the Okta portal. Knox Manage follows the MFA set up in Okta.

• SCIM setting is required to enable user provisioning and synchronization.

  • Make note of the tenant URL and secret token information before saving your settings in the Okta portal. You can only renew this information after the settings are saved.

• OIDC setting is required to enable user authentication. You can configure OIDC before SCIM, or after SCIM is set and user information sync is successful.

Connect Knox Manage to Okta through OIDC

To connect Knox Manage with Okta through OIDC for user authentication:

1. In the Okta console, go to Applications > Applications, and click Create App Integration.

   

2. On the Create a new app integration screen, select OIDC – OpenID Connect and Single-Page Application, and click Next.

   

3. Specify App integration name, Grant type, Sign-in redirect URI, and user access under Controlled access. Click Save.

   Ensure the CRS information in Sign-in redirect URIs is correct to avoid errors during user authentication. Enter the following URI for Knox — https://crs.manage.samsungknox.com/crs/auth/callback.

   

4. (Optional) To activate MFA for user authentication in the Knox Manage app, edit User Authentication settings, and select Any two factors as the Authentication policy.

   

   

5. (Optional) If the OIDC application is configured for Knox Manage, copy and save Client ID displayed in the General tab.

   

6. To configure OIDC Discovery URL and Client ID in the Knox Manage console and enable user authentication, specify an authorization server in the Okta portal. To do so, go to Security > API > Authorization Servers, and select a server.

   If no authorization server is added, only the Default authorization server is displayed.

   

7. Copy Metadata URI from the Settings tab on the Authorization Server detail page.

   

8. On the Knox Manage console, go to Setting > Identity & Directory > Connection > Add Connection, and integrate Okta’s OIDC authentication as follows:

   • Select Okta (SCIM) for Connection Type

   • Select Use for User Authentication

   • Enter the previously copied Okta OIDC client ID in the Client ID field

   • Enter the previously copied Okta OIDC metadata URI in the Discovery URL field

   • All SCIM settings must be completed in one go. Refer to the following section for details.

   • If you set user authentication as Do not use, OIDC authentication must be configured after the SCIM provisioning is set and the sync for device enrollment is successful.

   

Connect Knox Manage to Okta through SCIM for user provisioning and sync

To enable automatic user provisioning, you must configure settings in the Knox Manage console and in the Okta portal.

Once configured, Okta automatically provisions and de-provisions users and groups to Knox Manage using the Okta provisioning service. The following capabilities are supported:

• Creation of users and groups in Knox Manage

• Deactivation of users in Knox Manage when they do not require access anymore

• Sync of user attributes between Okta and Knox Manage

• Provisioning of groups and group memberships in Knox Manage

To learn more about how Okta works with SCIM, see Okta’s article on What is SCIM?

Prerequisites

• An Okta organization

• A Knox Manage tenant

• A user account in Okta with permission to configure provisioning

• A Knox Manage user account with administrator permissions

Step 1 — Configure Knox Manage to support provisioning with Okta

1. Sign in to the Knox Manage console.

2. Go to Setting > Identity & Directory > Connection and click Add.

3. On the Add Connection page, set Connection Type as Okta (SCIM).

4. Copy the Tenant URL and Secret Token and ensure to keep them accessible for later use in the Okta portal. The secret token cannot be retrieved, it can only be reissued.

   • If you need to reissue the secret token, go to Setting > Identity & Directory > Connection. Click the required connection to view its information, click Details for Token Expiration, and click Replace Token in the Token Details dialog.

5. Click Save.

Step 2 –– Register the SCIM App in Okta

1. Sign in to Okta and navigate to Applications > Applications > Browse App Catalog.

   

2. Search for and select the Samsung Knox Manage app and click Add Integration. For details, see Okta’s article on how to Add an app integration to Okta.

   

   

   

3. Open Samsung Knox Manage in the portal, navigate to General > App Setting, click Edit, and select the following and click Save:

   • Do not display application icon to users
   • Auto-launch the app when user signs into Okta

   

Step 3 — Enable SCIM API integration in Okta

1. Navigate to Provisioning, and click Configure API integration.

   

2. Select Enable API integration.

3. Paste the Tenant URL and Secret Token values you copied from the Knox Manage console into the Base URL and API Token fields respectively.

   

4. Click Test API Credentials. If the test passes, select Save.

   If the test fails, ensure that the Tenant URL and Secret Token are correct and the connection was properly saved and try again.

   

5. Under Settings, click To App.

6. Click Edit and enable the provisioning options you want to use. For example, you can map user attributes or leave them with default settings.

   

7. Finally, map attributes for the Samsung Knox Manage app. If there is nothing to modify, you can leave the default mapping as is.

   

Step 4 — Assign people or groups to the app

After adding Knox Manage to Okta, configure the Okta provisioning service to create, update, and disable users and groups in Knox Manage based on the user and group assignments in Okta.

1. In Okta, navigate to Assignments > Assign > Assign to People or Assign to Groups.

   

2. Click Assign for the required people or groups that you want to assign to Knox Manage. When you assign a group to Knox Manage, all users in that group are automatically assigned to the application.

3. Click Done.

Step 5 — Push groups to the app

1. Navigate to Push Groups, then click By name. Enter the name of the okta group you want to push to Knox Manage, then click Save.

   

   

2. Review the pushed groups to ensure that all required groups are pushed.

   

3. Groups and their members can be pushed to Knox Manage as users and group members. For more about using group push operations, see Using Group Push.