All Collections
Configure Favro
Setting up SAML 2.0 and SCIM 2.0 with Okta
Setting up SAML 2.0 and SCIM 2.0 with Okta
D
Written by Dino Hrgetić
Updated over a week ago

SAML 2.0

  1. In Okta > Applications, click Create App Integration and choose SAML 2.0 application.

  2. Name the application (e.g., Favro).

  3. Set the following values:


    Single sign-on URL: https://favro.com/saml/assert
    Audience URI (SIP Entity ID): https://favro.com/saml/metadata.xml
    Name ID format: EmailAddress
    Application username: Email

  4. In the ATTRIBUTE STATEMENTS subsection, add the following:

    • givenName -> user.firstName

    • familyName -> user.lastName

    • favroRole -> user.favroRole

  5. Select I’m a software vendor. I’d like to integrate my app with Okta and Finish.

  6. In Favro, go to Administration > Authentication Methods and click Configure on SAML authentication.

  7. Enter your domain in the field and click Add domain button and complete the on-screen domain verification instructions.

  8. In the application you just created in Okta, navigate to the Sign On tab, scroll down the page and click View SAML setup instructions button.

  9. Copy your Okta configuration to Favro.

    1) Copy from Identity Provider Single Sign-On URL to SAML login url.

    2) Copy from Identity Provider Issuer to SAML logout url.

    3) Copy from X.509 Certificate to SAML identity provider certificate.


  10. (Optional) Select in Favro if the members will be automatically added to the organization when they sign in.

  11. Make sure to apply the changes by clicking the Save configuration at the bottom of the page in Favro.


SCIM 2.0

  1. In the SAML app you previously created, navigate to the General tab and make sure the Enable SCIM provisioning is checked and Save the changes.

  2. The Provisioning tab will now be visible. Navigate to the tab, click Edit and provide the following information:


    SCIM connector base URL: https://favro.com/api/scim/v2

    Unique identifier field for users: email

    Push groups, Push Profile Updates, Push New Users: Check

    Authentication mode: HTTP Header

    Bearer: copy from Favro > Administration > Authentication methods > your domain > SCIM API token

    And test the configuration to ensure everything is working so far.

  3. Navigate to Directory > Profile Editor and edit the User (default) profile.

  4. Click on Add Attribute and define the following values:

    • Display name: Favro Role

    • Variable name: user.favroRole

    • Define enumerated list of values: checked, and add:

      • Administrator : Administrator

      • Full Member : Full Member

      • External member : External Member

      • Guest : Guest

  5. Repeat the process for the SAML application user that will be used for this integration. In our case, that would be Favro User. All the values are exactly the same as in our previous step, the only difference is the External namespace field which should be set to ​​urn:ietf:params:scim:schemas:core:2.0:User

  6. At the top of the Profile Editor page click on Mappings.

  7. Make sure appuser.favroRole is mapped to favroRole in both Favro to Okta User and Okta User to Favro tabs.

  8. Navigate to the SAML application used for this integration > Provisioning tab > To App > Edit.
    Make sure the following options are checked:

    • Create users

    • Update User Attributes

    • Deactivate Users


(Optional) Admin users cannot be provisioned by the default. Make sure to enable the option in Favro > Administration > Authentication methods > your domain > Provision users with administrator role.

(Important) If the user role is not defined in their profile at the time of provisioning, users will be provisioned with the Full Member role by default.

Did this answer your question?