Authentication: MFA and SSO

This document covers how to set up additional authentication parameters including MFA, Active Directory, SCIM and SAML.

Authentication: MFA and SSO

This document covers how to set up additional authentication parameters including MFA, Active Directory, SCIM and SAML.

Contents

Setting up SCIM

Setting up SAML

Setting up SCIM

This document provides information for setting up Okta SCIM 2.0 provisioning with Cavrnus. If you use a different identity provider, please contact us for assistance.
Supported Features

The Okta/Cavrnus SCIM integration currently supports the following provisioning actions for users assigned the Cavrnus application in Okta:

  • Okta to Cavrnus New Users
  • Okta to Cavrnus Profile Updates

Upon receiving a new user or updates to an existing user, Cavrnus will assign a license automatically if there are licenses available.

Setup Guide
  • In Cavrnus, navigate to Account Info and find the SCIM 2.0 Provisioning feature and click Configure.
  • If not enabled, toggle the Allow provisioning of users using SCIM 2.0. The Connector base URL and Authorization token settings will be visible. You will need these settings to configure SCIM provisioning in Okta.
  • In another browser tab, login to your Okta account.
  • Navigate to Applications and click on the Cavrnus application. If you do not see the Cavrnus application, you will need to set that up first by configuring SAML 2.0.
  • Under the General tab, find App Settings section and click on Edit.
  • Check the Enable SCIM provisioning option and click Save.
  • Under the Provisioning Tab, select Integration settings if it's not already selected and click Edit.
  • Enter the SCIM connector base URL from the Cavrnus SCIM 2.0 Settings page in step #2.
  • For the Unique identifier field for users field, enter the value:
email
  • For the Supported provisioning actions field, enable
Push New Users
Push Profile Updates
  • For the Authentication Mode field, select HTTP Header
  • In the HTTP Header section, set the Authorization field to the authorization token from the Cavrnus SCIM 2.0 Settings page in step #2.
  • Click Test Connector Configuration to verify the settings are working.
  • Click Save.
  • Under the Provisioning Tab, select To App settings if it's not already selected and click Edit.
  • Enable the following provisioning actions:
Create Users
Update User Attributes
Deactivate Users
  • Click Save.

↑ Back to Contents

Setting up SAML

This document provides information for setting up Okta SAML integration with Cavrnus. If you use a different identity provider that is not compatible, please contact us for assistance.
Supported Features.

The Okta/Cavrnus SAML integration currently supports the following features:

  • SP-initiated SSO
  • IdP-initiated SSO
  • JIT (Just In Time) Provisioning

For more information on the listed features, please visit the Okta Glossary.

Setup Guide.
  • Login to your Okta account
  • Navigate to Applications and click on the Create App Integration button.
  • Select the SAML 2.0 option and click Next.
  • While following the prompts, enter the following:
  • App name
Cavrnus
  • Single sign on URL
https://api.dev.cavrn.us/api/sso/saml2
  • Audience URI (SP Entity ID)
https://cav.dev.cavrn.us
  • Name ID format
EmailAddress
  • Application username
Email
  • Attributes

  • After creating the application, navigate to the Sign On tab of the application and click on View Setup Instructions. You will use the information from the instructions page to configure your Carvnus account.
  • From the main menu of your Cavrnus Account Administration site, go to Account Info.
  • Find the SAML 2.0 Authentication feature and click the Configure button.
  • The settings dialog presents two options for configuring the integration. You can automatically configure the integration by uploading the metadata from Okta or you can manually enter the configuration values.

Option 1: Uploading Metadata (Recommended)

  • Click on Upload Metadata
  • In Okta's SAML Setup Instructions page, find the Optional section that shows the Provide the following IDP metadata to your SP provider subsection. Copy this value and paste this value into the Enter IDP metadata field and click Upload. If successful, you should see the configuration settings filled in for you.

Option 2: Manual Configuration

  • Enter the Name of your identity provider, such as "Okta", or the internal name your company uses for SSO. This name is used by Cavrnus for SP initiated login flows, prompts, and buttons.
  • From Okta's SAML Setup Instructions page, enter the following values.
Single Sign-On URL
Issuer
X.509 Certificate
  • Ensure the Allow users to login using SAML switch is enabled and click Save
  • Test the integration by opening a new incognito browser and log in to Cavrnus using SAML.

Provisioning.

Cavrnus will provision (create) users and assign a valid license upon authenticating the SAML response from the IdP.

Subsequent authentications will also update any already provisioned user from name attributes contained in the SAML response.