This guide will take you through the steps for configuring Okta as the SAML IDP for your HyperComply account, allowing your users to authenticate to HyperComply through Okta instead of the usual email/password combination.
What to expect:
- First we’ll log into HyperComply and copy a value we’ll need for Okta configuration.
- Next we’ll create the HyperComply Okta “Application” and configure it for HyperComply SAML.
- Finally we’ll copy some values from our new Okta Application into HyperComply so HyperComply can securely validate SAML assertions from Okta.
HyperComply Configuration
- Navigate to https://app.hypercomply.com/settings/saml_config
- Copy the value of the “SAML ACS Endpoint” at the bottom of the screen.
- Keep this tab open and complete the steps below, you will need to enter some values from Okta on this screen at the end of this process.
Okta Application Creation
1. Log into Okta as an administrator
2. Navigate to Applications/Applications and click “Create App Integration”
-
- Choose “SAML 2.0” and click “Next”
- Enter display details for the new Application as normal. Click “Next”.
- Paste the “SAML ACS Endpoint” URL copied from the HyperComply settings into the “Single sign on URL” and “Audience URI” fields.
- Set “Name ID format” to “EmailAddress”
- Set “Application username” to “Email”
- Add these attributes to the “Attribute Statements” section:
Name |
Name format |
Value |
|
Unspecified |
user.email |
firstName |
Unspecified |
user.firstName |
lastName |
Unspecified |
user.lastName |
3. Click “Next” then “Finish”
4. In the “Sign On” tab of the newly created “HyperComply” application, click the “View SAML Setup Instructions” button.
- Note: this section requires copying values from Okta into the HyperComply SAML configuration form opened in the “HyperComply Configuration” section above. If you don’t have the tab open anymore, return to the page here: https://app.hypercomply.com/settings/saml_config.
-
-
In Okta: copy the value from the “Identity Provider Single Sign-On URL” field
- In HyperComply: paste the value into the “IDP Endpoint URL” field
-
In Okta: copy the value from the “Identity Provider Issuer” field
- In HyperComply: paste the value into the “IDP Entity ID” field
-
In Okta: copy the value from the “X.509 Certificate” field
- In HyperComply: paste the value into the “IDP Certificate” field
- In HyperComply: check the “Enable SAML” checkbox and click “Save”.
-
In Okta: copy the value from the “Identity Provider Single Sign-On URL” field
At this point you have completed connecting your Okta SAML IDP to HyperComply, now allowing users to log into HyperComply from Okta. Any user that logs into HyperComply via Okta will have an account created for them (if they don’t already have an account). Allowing Okta users to log into HyperComply can be done by adding users to the HyperComply “Application” you created above in Okta.
SCIM Configuration
By default, any SAML provider will use Just In Time user provisioning, meaning that a user authorized in Okta will have an account provisioned for them as they log into HyperComply via SAML for the first time. To have users synced directly between Okta assignments and HyperComply, you can enable SCIM provisioning:
- In the ‘HyperComply’ Okta App Settings, click Edit
- Under provisioning, select SCIM
- Click “Save”
- You will now see a “Provisioning” tab available - click it.
- Under SCIM Connection, click “Edit”
- In HyperComply, navigate to the SAML configuration screen here.
- Under SCIM Configuration, click “Enable SCIM”
- Copy the “SCIM Endpoint URL” and paste it into the field “SCIM connector base URL” in Okta
- For “Unique identifier field for users”, enter “email”
- For “Supported provisioning actions”, only user/profile actions are supported. Select the desired actions.
- For “Authentication Mode”, select “HTTP Header”
- Click “Create SCIM Token” in HyperComply and copy the token shown in the “Bearer Token” field into the “Authorization” field in Okta
- Click “Test Connector Configuration”, you should see a success screen with checkmarks next your desired actions.
- Click “Save”
You have now enabled SCIM for the application. You can now enable the desired Provisioning Actions in Okta. Note that “Sync Password” is not currently supported.
If you have any further questions or troubles regarding your setup, submit a request to our team here.