# Single Sign-On with OKTA This article explains configuring Single Sign-On (SSO) in CodeScan with Okta as your SAML 2.0 Identity Provider. This enables users to restrict login IPs via SSO. To allow users to log in via SAML SSO, CodeScan must be able to trust and rely on Okta to authenticate users wanting to log in. To establish this trust relationship, you must configure Okta and CodeScan so both parties can exchange authentication information. When SSO is enabled, users and groups logging into CodeScan are redirected to the Okta login page. After successful authentication, they are redirected to the AutoRABIT Dashboard. **Who can use this feature** 1. Only Organization Admins can set up SAML SSO. 2. You will need an existing Okta account to set up SAML SSO with Okta. ### Step 1: Enabling Single Sign-On in CodeScan Before configuring SSO in OKTA, you must enable SSO in CodeScan. 1. In **CodeScan**, click on the **`Profile`** icon on the right corner of the screen and select your organization (under **`My Organizations`**).\ ![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FlNJKKRZJkynjP7opbdOQ%2Fimage.png?alt=media\&token=e8adae02-5f8c-4ea4-9dd0-365ee16983ae) 2. Go to **`Administration > SAML Connections`**.\ ![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FOV5E0v0ft9X42PfIXgBg%2Fimage.png?alt=media\&token=be03e1f3-55f6-4a54-876d-3c2c68ed3683) 3. Click on **`Create Connection`**.

4. In the **`Connection name`** field, enter the identity provider name as you want to appear (use only Latin characters without spaces and any special characters).\ **Example-** `OKTA-SAML` 5. Enter a valid domain name of the organization in the **`Corporate domain`** field that can be authenticated in the Identity Provider. ***This property cannot be updated after SAML Connection creation.***\ **Example**- *In case of `abc@autorabit.com`, the **corporate domain** will be `autorabit.com`*. 6. Keep the **`Enforce SSO`** checkbox unchecked for now. You can enable *Enforce SSO* later when your domain has been confirmed. Once enabled, only SSO authentication will be allowed for email addresses of your corporate domain. Point to Note: * Enforcing SSO affects both login and signup. Existing *Auth0* users won't be able to login. * Signup with email domain same as corporate domain won't be allowed. * If the **`Enforce SSO`** is enabled prematurely, it will prevent all **users in their organisation** from accessing CodeScan. Consider enforcing SSO only after admins have logged in to CodeScan using SSO. 7. Keep the **`SAML Connection status`** checkbox as **`Enabled`** and click on **`Create`** button.

8. You will be able to see the **`Metadata URL`** generated for your SSO configuration. Keep the current page open while you continue to add the CodeScan app to OKTA.

### Step 2: Adding CodeScan as an App in OKTA Set up the CodeScan application to provide necessary configuration information for CodeScan. 1. Sign in to Okta. You must have the Applications **`Admin`** permission. 2. If you don’t have an Okta organization, you can create a free Okta Developer Edition organization here: 3. Navigate to the **`Admin`** dashboard. 4. From the main menu, go to **`Applications > Applications`**.

5. Click on **`Create App Integration`**.

6. In the next auto-populated dialog box, select the second option, i.e., **`SAML 2.0`**, and click on **`Next`**.

7. In the **`General Settings`**, enter **`CodeScan`** in the App name field, upload the **`CodeScan logo`** and click on the **`Next`** button.

8. In the **`Configure SAML`** tab, do the following: * **`Single sign on URL`**: Enter the same **`URL`** in the below format: *`{instanceurl}/_codescan/login/saml2/sso/{connection_id}`*\ **For example:** If your *instance URL* is `https://app.codescan.io` and the *connection\_id* is `OKTA-SAML`, your SSO URL would be *`https://app.codescan.io/_codescan/login/saml2/sso/OKTA-SAML`* * **`Audience URI (SP Entity ID)`**: Enter your *connection\_id* in this field. **Example:** `OKTA-SAML`

{% hint style="info" %} **Where can I find my Connection ID?** Your connection id will be available in the **Metadata URL** generated inside CodeScan. **For example:** *Metadata URL*- \&#xNAN;*Connection Id*: OKTA-SAML {% endhint %} 9. On the same screen, in the **`Attribute Statements`** panel, add the following attributes (mandatory) and map to corresponding OKTA properties: | Name | Name format | Value | | --------------- | ------------- | ---------------- | | `saml_email` | `Unspecified` | `user.email` | | `saml_username` | `Unspecified` | `user.login` | | `saml_name` | `Unspecified` | `user.firstName` |

10. Click **`Next`** to continue. 11. Under the **`Feedback`** section, select the option: **`I'm an Okta customer adding an internal app`** and click the checkbox next to the text **`"This is an internal application that we created"`**, and click on the **`Finish`** button.

12. Navigate your mouse to the **`Assignment`** tab, and click **`Assign > Assign to People`**.

13. Next, select the listed **`users`** and click on **`Assign`**.

14. After you assign the user, click **`Save and Go Back`** and then click **`Done`**.

### Step 3: Configuring SAML Connection in CodeScan Once the application is created, you will need to enter the identity provider data from OKTA into CodeScan. 1. In **OKTA**, go to the **`Sign On`** tab and navigate to the **`SAML Signing Certificates`** section. 2. For **SHA-2**, click on **`Actions > Download Certificate`**.

3. Open the downloaded certificate in Notepad. You will need to copy the content of the certificate into the **`X509 Signing Certificate`** field of CodeScan SAML connection \[***Step 7.c** below*]. 4. Click on the **`Actions > View IdP metadata`**.

5. A new tab will open, which displays the IdP metadata file in XML format. 6. In **CodeScan**, on the **`SAML`** page, go to **`Actions`** and click on **`Edit`**.

7. Enter the following values: * **`Provider Entity Id`**: Copy the **entityID** value and paste it into **`Provider Entity Id`** inside CodeScan. * **`Sign In URL`**: Copy the **SingleSignOnService Location** value and paste it into the **`Sign In URL`** inside CodeScan.

* Copy the content of the downloaded certificate \[*refer to **Step 2** above to download the certificate*] into the **`X509 Signing Certificate`** field of Codescan SAML connection.

8. Click **`Update`** on the CodeScan page. 9. The next step is to confirm your corporate domain to get the SSO working. You can confirm domain by raising a request via [Codescan Support](https://mailto:support@autorabit.com/). ### Step 4: Testing the Single Sign-On Configuration 1. Log out of the CodeScan Console, and then log back in using the **`Log in with SAML2`** option.\ ![](https://1912836914-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F9vAxMuDrkUkB4OXlH9CL%2Fuploads%2FY1O6Ai4taK06XNm0ONiR%2Fimage.png?alt=media\&token=ae3d4c64-69fd-487b-859b-8a23abb19100) 2. Enter the corporate domain name you have configured when enabling SSO inside CodeScan in the **`Your Company email`** field. **For example**- *`autorabit.com`* 3. You should successfully redirect to the CodeScan **`Organization`** page after authentication. Here is a sample document from OKTA on how to set up network zones that restrict access to apps registered in OKTA: .