Okta SSO/OIDC Guide

한국어 버전: https://blog.selectfromuser.com/ko-okta

Select Admin have the ability to configure an Identity Provider to enable Single Sign On (SSO). This article shows how to configure Okta as the primary Identity Provider to faciliate SSO with the Select Admin application for each subdomains.

Contents

  • Supported features
  • Configuration steps
  • Role mapping with Okta Group Claims
  • IdP-initiated SSO
  • Troubleshoot

Supported features

Requirements

  • Admin user who can access to SelectAdmin page.
  • Okta administrator
  • Select Platform: Business plan or higher with a paid add-on subscription.

Configuration steps

(Subject to change)
Okta admin page > Applications > Browse App > Select Admin

App requires "Select Domain" you can find domain from address bar.

In here, Select Domain is hello-okta.selectfromuser.com (please omit prefix "https://")

[1] Gather information from Okta

  1. In the Okta admin page, click on the SelectAdmin application and then navigate to the Sign On tab
  2. Copy the values of Client ID and Client secret (click the eye button to toggle the visibility)
  3. There should be a section that has a link titled OpenID Provider Metadata. Click this link. In the JSON document shown, look for a key titled “issuer” and copy the URL-value

[2] Submit the information to SelectAdmin

  1. In the SelectAdmin page, move to Settings > Security and then click 'Activate' button on the section "OIDC (Okta)"
  2. Paste your values of Client ID, Client secret, Issuer URL (make sure add a postfix /oauth or /oauth/default depends on custom authorization server name) into the form
  3. Open page YOUR_SUBDOMAIN.selectfromuser.com and there should be a new Okta button to continue SSO.

Role mapping with Okta Group Claims

Security > API > Authorization Servers > choose your server (default)

  1. Create a new scope: If not set ever, In the Add scope form, Name should be groups
  2. Create a new claim: In the Add claim form, select ID Token and Always in the dropdown. In the Value type section, select Groups. You can add an optional Filter to limit the groups to sync. (Please filter with prefix, but you can still use .* for all groups)
  3. Enable Group mapping: In the SelectAdmin page, move to Settings > Security and then you can turn on option.
  4. Specify group and roles mappings: Left(group name) is from Okta and Right(admin role) is from SelectAdmin.
Test your account and roles, then turn on Force SSO

IdP-initiated SSO

Users can access SelectAdmin app on the Okta dashboard or browser plugin to sign in by clicking

Troubleshoot

Please contact us with chat or at Slack community.

  • /logout force sign out
  • Without group sync, new user will be created but has no access to the team.
  • Without group sync, same email users are only accessible from Okta.
  • With group sync, mapping of 'Everyone' to 'Viewer' allows all employees can access with no extra grant.
  • With group sync, role update are logged by cloud.
  • Since SelectAdmin do not cache or save groups names from your Okta, there is no validation for group name misspells.
  • For any reason, by request of non-verified admin, we cannot turn off any security option instead of owner.

Read more

셀렉트 클라우드의 새로운 데이터베이스 연결 방법 (Secure Tunnel)

안녕하세요 셀렉트팀 이진혁입니다. 셀렉트 어드민은 기존 데이터베이스를 연결하여 쉽게 조회, 수정등 페이지를 만들고 계정 초대로 팀원에게 쉽게 공유가능한 서비스입니다. 기존에는 이러한 어드민 개선과 데이터 업무를 위해 개발자, 개발팀 단위로 시간과 노력이 필요했지만 셀렉트 어드민은 SQL, API, DB, UI등 복잡한 단계를 통합하여 누구나 빠르게 데이터를 다루고, 협업이 가능한 환경을 추구해왔습니다. 셀렉트

By LEE JINHYUK

Self-hosted 로컬 CLI (커스텀인증구현)

셀렉트 어드민 CLI에서는 데이터베이스 접근과 모든 화면은 로컬/내부에서 처리하면서, 동시에 간편한 도입과 설치를 위해 로그인(인증, 사용자, 권한) 부분만 클라우드를 통해 제공하고 있습니다. 일부 금융권등 보안성 요건에 따라 로그인(인증)부터 모든 사용자 계정정보의 보관, 감사로그도 완벽히 내부망에서 이루어져야 합니다. 이를 위해 셀렉트 어드민은 완전구축형(on premise)을 지원하여

By LEE JINHYUK