Okta integration allows Afi users to connect Okta company account to Afi account and set up Okta SSO for Afi application. Afi supports both service provider-initiated and identity-provider initiated authentication flows providing a seamless login experience for Okta users.
Note: This feature is not available in a standard Afi SaaS backup subscription. Please contact sales@afi.ai for more details.
How to enable authentication with Okta
The following section explains how to integrate Afi with your Okta account.
Step 1 - Create and configure SAML application
To setup integration, one needs to create a new SAML 2.0 Application in the Okta administrator console and then follow a wizard to configure application settings and collect information required for the authentication setup on the Afi side.
First wizard screen (General Settings) defines how an application will be named and shown in your Okta organisation.
The next screen (General) includes SAML-specific settings including SSO URL, Audience URI, attribute mapping rules, etc. Please fill SAML configuration for an application as described below:
-
https://app.afi.ai/dex/callback as Single sign on URL and Audience URI
-
accountd as Default RelayState
-
Persistent as Name ID format
-
user.getInternalProperty("id") as Custom format for Application username
Attribute Statements:
-
name - user.firstName + " " + user.lastName
-
email - user.email
-
groups - user.groups
Advanced settings should remain default.
On the last wizard screen please mark the application as an internal one and save the application.
Step 2 - Setup authentication
Once the application is created, go to the Sign On tab and click on View Setup Instructions link.
On the application setup instructions page you will find the following items that are needed for further configuration:
-
Identity Provider Single Sign-On URL
-
Identity Provider Issuer
-
X.509 Certificate
Please contact Afi Support (support@afi.ai) and provide the above items and Okta Company ID (https://{company ID}.okta.com) to finish Okta integration.
Step 3 - Add users to the application
You can assign users who should be able to access Afi through Okta via application's Assignments tab:
Please note that Okta integration maps users from Okta with already existing user accounts from Afi and doesn’t provision new Afi accounts. Afi account model in turn relies on the connected G Suite or Office 365 tenants and synchronises account list with them. Since this resource synchronisation happens once per 24 hours, in rare cases there might be a situation when Okta user has just been created, but there is no corresponding user account on Afi side. If this happens, Afi account administrator needs to manually trigger resources synchronisation by clicking on the wheel icon in the top-right corner of Service -> Protection screen in Afi Backup panel.
Authentication modes
Afi supports both service provider-initiated and identity provider-initiated authentication flows.
Service provider-initiated authentication
Service provider-initiated flow starts on the custom Afi login screen for Okta (https://app.afi.ai/login-okta) where a user is prompted to enter their Okta company ID and then proceed with Okta authentication. On successful authentication, the user will be redirected to the Afi Backup panel.
Identity provider-initiated authentication
Identity provider-initiated flow starts from a user’s home page in Okta (My Applications). In this flow user clicks on the Afi application icon, then Afi application communicates with Okta to authenticate the user (it happens transparently to the user and doesn’t require to enter credentials since the user is already authenticated with Okta) and in case of success redirects the user to Afi Backup panel.