Okta integration allows Afi users to connect Okta company account to Afi account and set up Okta SSO for Afi application. Afi supports both service provider-initiated and identity-provider initiated authentication flows providing a seamless login experience for Okta users.
How to enable authentication with Okta
The following section explains how to integrate Afi with your Okta account.
Step 1 - Install Afi application from Okta marketplace
As a first step, please log in to your Okta administrator account and install the Afi application from Okta Integrations marketplace.
Create the application in your Okta directory with the suggested settings:
Step 2 - Setup authentication
Once the application is created, go to the Sign On tab and click on View SAML setup instructions button in the bottom of the page.
On the SAML setup instructions page you will find the following items that are required for further configuration:
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
- Okta Company ID
Now you are ready to finish Okta authentication configuration on Afi side. Please go to the Service → Settings → Okta tab in the Afi portal, fill the provided fields and press Save.
Step 3 - Add users to the application
You can assign users who should be able to access Afi through Okta via the application's Assignments tab:
Please note that Okta integration maps users from Okta with already existing user accounts from Afi and doesn’t provision new Afi accounts. Afi account model in turn relies on the connected Google Workspace or Microsoft 365 tenants and synchronizes account list with them. Since this resource synchronisation happens once per 24 hours, in rare cases there might be a situation when Okta user has just been created, but there is no corresponding user account on Afi side. If this happens, Afi account administrator needs to manually trigger resources synchronisation by clicking on the wheel icon in the top-right corner of Service → Protection screen in Afi Backup panel.
Authentication modes
Afi supports both service provider-initiated and identity provider-initiated authentication flows.
Service provider-initiated authentication
Service provider-initiated flow starts on the custom Afi login screen for Okta (https://app.afi.ai/login-okta) where a user is prompted to enter their Okta company ID and then proceed with Okta authentication. Upon successful authentication, the user will be redirected to the Afi Backup panel.
Identity provider-initiated authentication
Identity provider-initiated flow starts from a user’s home page in Okta (My Applications). In this flow user clicks on the Afi application icon, then Afi application communicates with Okta to authenticate the user (it happens transparently to the user and doesn’t require to enter credentials since the user is already authenticated with Okta) and in case of success redirects the user to Afi Backup panel.
