Privado

To set up Okta integration on Privado Cloud, first you'll need to create an Okta application, then you can set up login with Okta in the Privado app.

Follow along with the video below, or follow the steps below it.

Ensure that you have an admin role in Okta.

Access your Okta domain (e.g., <a href="https://trial-5760180.okta.com/" rel="nofollow noopener noreferrer" target="_blank">https://trial-5760180.okta.com/</a>).

Expand the side panel and select Applications.

Choose Create App Integration. ​

Select "OIDC - OpenID Connect" as the integration type.

Choose "Web Application" and click Next. ​

Provide "Privado" as the Application Name. ​

In the Grant type section, check the refresh token field along with the default checked Authorization code. ​

Enter <a href="https://privado.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse" rel="nofollow noopener noreferrer" target="_blank">https://privado.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse</a> in the Sign-in redirect URIs input.

Enter <a href="https://code.privado.ai/login" rel="nofollow noopener noreferrer" target="_blank">https://code.privado.ai/login</a> in the Sign-out redirect URIs input. ​

Scroll to the bottom and select Allow everyone in your organization to access in the Controlled access field. Enable immediate access with Federation Broker Mode will be selected by default.

Copy the Client ID and Client Secret from the General Tab of the newly created application.

Edit the OpenID Connect ID Token section and change the "Issuer" from dynamic to your Okta domain. Save the details. ​

Copy the URL from the issuer field (e.g., <a href="https://trial-5760180.okta.com" rel="nofollow noopener noreferrer" target="_blank">https://trial-5760180.okta.com</a>).

Navigate to the Okta API Scopes tab. ​

Search for okta.myAccount.profile.read in the list and click on grant. ​

Change the filter on the left section to "Granter" and select okta.myAccount.profile.read. ​

1. Ensure that you have an admin role in Okta.
2. Access your Okta domain (e.g., <a href="https://trial-5760180.okta.com/" rel="nofollow noopener noreferrer" target="_blank">https://trial-5760180.okta.com/</a>).
3. Navigate to the Admin Panel.
4. Expand the side panel and select Applications.
5. Click on the Child Applications link.
 
 
6. Choose Create App Integration. ​

7. Select "OIDC - OpenID Connect" as the integration type.
8. Choose "Web Application" and click Next. ​

9. Provide "Privado" as the Application Name. ​

10. In the Grant type section, check the refresh token field along with the default checked Authorization code. ​

11. Enter <a href="https://privado.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse" rel="nofollow noopener noreferrer" target="_blank">https://privado.auth.eu-west-1.amazoncognito.com/oauth2/idpresponse</a> in the Sign-in redirect URIs input.
12. Enter <a href="https://code.privado.ai/login" rel="nofollow noopener noreferrer" target="_blank">https://code.privado.ai/login</a> in the Sign-out redirect URIs input. ​

13. Scroll to the bottom and select Allow everyone in your organization to access in the Controlled access field. Enable immediate access with Federation Broker Mode will be selected by default.
14. Click on save. ​

15. Copy the Client ID and Client Secret from the General Tab of the newly created application.
16. Go to the Sign On tab. ​

17. Edit the OpenID Connect ID Token section and change the "Issuer" from dynamic to your Okta domain. Save the details. ​

18. Copy the URL from the issuer field (e.g., <a href="https://trial-5760180.okta.com" rel="nofollow noopener noreferrer" target="_blank">https://trial-5760180.okta.com</a>).
19. Navigate to the Okta API Scopes tab. ​

20. Search for okta.myAccount.profile.read in the list and click on grant. ​

21. Change the filter on the left section to "Granter" and select okta.myAccount.profile.read. ​

Create Groups for Privado and assign those groups to your employees

1. Privado-SuperAdmin. Privado-Admin, Privado-Developer, Privado-Member

Go to the application created above to allow groups via token

Go to Sign On tab and  edit “OpenID Connect ID Token” Section

Add a groups claim filter with the condition that groups start with 'Privado.' This ensures that we only retrieve groups relevant to 'Privado' and exclude any internal roles. (We are assuming you are creating step 1 with Privado prefix otherwise this logic needs to be tweaked accordingly)

Login to the Privado dashboard, navigate to settings and roles <a href="https://code.privado.ai/settings/access/roles" rel="nofollow noopener noreferrer" target="_blank">here</a>.

1. Create Groups for Privado and assign those groups to your employees
 1. Privado-SuperAdmin. Privado-Admin, Privado-Developer, Privado-Member
2. Go to the application created above to allow groups via token
3. Go to Sign On tab and edit “OpenID Connect ID Token” Section
4. Add a groups claim filter with the condition that groups start with 'Privado.' This ensures that we only retrieve groups relevant to 'Privado' and exclude any internal roles. (We are assuming you are creating step 1 with Privado prefix otherwise this logic needs to be tweaked accordingly)
5. Click on Save
6. Login to the Privado dashboard, navigate to settings and roles <a href="https://code.privado.ai/settings/access/roles" rel="nofollow noopener noreferrer" target="_blank">here</a>.

If we have access to pull groups, you will be able to see them here and map them with the 'Privado' role. If you don't have access to pull groups, you can manually add groups in the text area, which will be shown instead of a dropdown.

Your setup with Okta is complete, and you can log in via Okta using JIT provisioning or inviting users via email.

Create Okta Application Integration

JIT Provisioning with Okta