Back to top

Connect to Okta

Last updated December 6th, 2023

Okta provides secure services for user identity and authentication that are based on System for Cross-domain Identity Management (SCIM) 2.0 and OpenID Connect (OIDC) protocol.

You can integrate and connect Knox Manage with Okta services using the cloud-based Knox Manage MDM app available on the Okta portal. When connected and configured, the user and group information in your Okta tenant is synced with Knox Manage.

Consider the following while integrating with Okta:

  • Syncing of organizations isn’t currently supported.

  • User authentication is executed directly by Okta.

  • Multi-factor authentication (MFA) is supported and set up in the Okta portal. Knox Manage follows the MFA set up in Okta.

  • SCIM setting is required to enable user provisioning and synchronization.

    • Make note of the tenant URL and secret token information before saving your settings in the Okta portal. You can only renew this information after the settings are saved.
  • OIDC setting is required to enable user authentication. You can configure OIDC before SCIM, or after SCIM is set and user information sync is successful.

Connect Knox Manage to Okta through OIDC

To connect Knox Manage with Okta through OIDC for user authentication:

  1. In the Okta console, go to Applications > Applications, and click Create App Integration.

    Create app integration

  2. On the Create a new app integration screen, select OIDC – OpenID Connect and Single-Page Application, and click Next.

    Settings for the app integration

  3. Specify App integration name, Grant type, Sign-in redirect URI, and user access under Controlled access. Click Save.

    Note

    Ensure the CRS information in Sign-in redirect URIs is correct to avoid errors during user authentication. Enter the following URI for Knox — https://crs.manage.samsungknox.com/crs/auth/callback.

    Specify CRS details

  4. (Optional) To activate MFA for user authentication in the Knox Manage app, edit User Authentication settings, and select Any two factors as the Authentication policy.

    Edit user authentication settings

    Select two factors for authentication policy

  5. (Optional) If the OIDC application is configured for Knox Manage, copy and save Client ID displayed in the General tab.

    Copy client ID

  6. To configure OIDC Discovery URL and Client ID in the Knox Manage console and enable user authentication, specify an authorization server in the Okta portal. To do so, go to Security > API > Authorization Servers, and select a server.

    Note

    If no authorization server is added, only the Default authorization server is displayed.

    Specify authentication server

  7. Copy Metadata URI from the Settings tab on the Authorization Server detail page.

    Copy Metadata URI

  8. On the Knox Manage console, go to Setting > Identity & Directory > Connection > Add Connection, and integrate Okta’s OIDC authentication as follows:

    • Select Okta (SCIM) for Connection Type

    • Select Use for User Authentication

    • Enter the previously copied Okta OIDC client ID in the Client ID field

    • Enter the previously copied Okta OIDC metadata URI in the Discovery URL field

    Caution

    • All SCIM settings must be completed in one go. Refer to the following section for details.

    • If you set user authentication as Do not use, OIDC authentication must be configured after the SCIM provisioning is set and the sync for device enrollment is successful.

    Configure OIDC authentication and provisioning settings

Connect Knox Manage to Okta through SCIM for user provisioning and sync

To enable automatic user provisioning, you must configure settings in the Knox Manage console and in the Okta portal.

Once configured, Okta automatically provisions and de-provisions users and groups to Knox Manage using the Okta provisioning service. The following capabilities are supported:

  • Creation of users and groups in Knox Manage

  • Deactivation of users in Knox Manage when they do not require access anymore

  • Sync of user attributes between Okta and Knox Manage

  • Provisioning of groups and group memberships in Knox Manage

To learn more about how Okta works with SCIM, see Okta’s article on What is SCIM?

Prerequisites

  • An Okta organization

  • A Knox Manage tenant

  • A user account in Okta with permission to configure provisioning

  • A Knox Manage user account with administrator permissions

Step 1 — Configure Knox Manage to support provisioning with Okta

  1. Sign in to the Knox Manage console.

  2. Go to Setting > Identity & Directory > Connection and click Add.

  3. On the Add Connection page, set Connection Type as Okta (SCIM).

  4. Copy the Tenant URL and Secret Token and ensure to keep them accessible for later use in the Okta portal. The secret token cannot be retrieved, it can only be reissued.

    • If you need to reissue the secret token, go to Setting > Identity & Directory > Connection. Click the required connection to view its information, click Details for Token Expiration, and click Replace Token in the Token Details dialog.
  5. Click Save.

Step 2 –– Register the SCIM App in Okta

  1. Sign in to Okta and navigate to Applications > Applications > Browse App Catalog.

    Browse App Catalog button on the Applications page

  2. Search for and select the Samsung Knox Manage app and click Add Integration. For details, see Okta’s article on how to Add an app integration to Okta.

    Search and select Samsung Knox Manage

    Click Add Integration

    General settings for the app

  3. Open Samsung Knox Manage in the portal, navigate to General > App Setting, click Edit, and select the following and click Save:

    • Do not display application icon to users
    • Auto-launch the app when user signs into Okta

    Set display and auto-launch options for the app

Step 3 — Enable SCIM API integration in Okta

  1. Navigate to Provisioning, and click Configure API integration.

    Configure API integration

  2. Select Enable API integration.

  3. Paste the Tenant URL and Secret Token values you copied from the Knox Manage console into the Base URL and API Token fields respectively.

    Paste the values copied from Knox Manage console

  4. Click Test API Credentials. If the test passes, select Save.

    If the test fails, ensure that the Tenant URL and Secret Token are correct and the connection was properly saved and try again.

    Test API credentials

  5. Under Settings, click To App.

  6. Click Edit and enable the provisioning options you want to use. For example, you can map user attributes or leave them with default settings.

    Specify provisioning options

  7. Finally, map attributes for the Samsung Knox Manage app. If there is nothing to modify, you can leave the default mapping as is.

    Retain default mapping

Step 4 — Assign people or groups to the app

After adding Knox Manage to Okta, configure the Okta provisioning service to create, update, and disable users and groups in Knox Manage based on the user and group assignments in Okta.

  1. In Okta, navigate to Assignments > Assign > Assign to People or Assign to Groups.

    Configure provisioning of users and groups

  2. Click Assign for the required people or groups that you want to assign to Knox Manage. When you assign a group to Knox Manage, all users in that group are automatically assigned to the application.

  3. Click Done.

Step 5 — Push groups to the app

  1. Navigate to Push Groups, then click By name. Enter the name of the okta group you want to push to Knox Manage, then click Save.

    Search Okta group to push to Knox Manage

    Push Okta group to Knox Manage

  2. Review the pushed groups to ensure that all required groups are pushed.

    Verify all groups are pushed

  3. Groups and their members can be pushed to Knox Manage as users and group members. For more about using group push operations, see Using Group Push.

Note

  • SCIM Provisioning of Samsung Knox Manage does not support Okta LINK GROUPS.

  • The Organization of the Okta user profile is mapped to Organization Code in Knox Manage. If the Okta user’s Organization does not exist, it belongs to the default organization in Knox Manage, and if the organization does not exist in Knox Manage, it is not applied to the user of Knox Manage.

Is this page helpful?