Configure Okta to manage your directory of users in Banyan

  • Updated on Jan 09, 2024

Overview

Okta is a cloud-based identity management system. This guide shows how Banyan integrates with your org’s Okta environment to authenticate users that need to register with the Banyan app and access Banyan-secured services.

How It Works

There are two parts to Banyan’s integration with Okta for users and devices:

1. Configuring Okta for Access to Banyan Services

  • The Banyan TrustProvider app in Okta allows you to configure specific authentication policies for users accessing Banyan-protected hosted websites, infrastructure, and Service Tunnels.

2. Configuring Okta for Banyan Device Registration

  • The Banyan Device Registration app in Okta allows you to configure specific authentication policies for users registering their devices with the Banyan app.

Supported Features

The Okta-Banyan Security integration currently supports the following features:

  • IdP-initiated SSO
  • SP-initiated SSO
  • JIT (Just-In-Time) Provisioning: Banyan’s IDP integrations allow for Just-In-Time (JIT) provisioning of User accounts, as well as Group and Role information updating upon login. Updates to the User directory or IDP are reflected in Banyan with each new login, allowing for changes in Users’ authorization without requiring admins to make any manual changes to Roles or Access policies.

Part 1: Configuring Okta for access to Banyan Services

1. Create the Banyan TrustProvider app in Okta

1.1 In Okta, navigate to Applications, and then select Create App Integration.

1.2 Select the OIDC sign-in method and the Web Application type.

1.3 Name the app integration Banyan TrustProvider, and upload the Banyan Logo.

1.4 Enter the Sign-in Redirect URI

The format for the redirect URI is https://{ORGNAME}.trust.banyanops.com/v2/callback. Your ORGNAME can be found at the top right of the Banyan Command Center.

1.5 Assign the Banyan TrustProvider app to “Everyone”, and then Save.

This will allow Banyan to federate authentication of all users in your org to Okta.

2. Update Group Claims for the Okta Token

2.1 Navigate from Sign On > OpenID Connect ID Token, and then select Edit.

2.2 Select Okta URL as the Issuer. Then, set the Group claims type to Filter, name the claim groups, and set the Matches regex to .*. Finally, select Save.

This updates the group claims, ensuring the token issued by Okta contains all of the user’s group information that will be used in Banyan policies.

3. Configure your User Identity Provider in Banyan

3.1 From the Banyan TrustProvider app in Okta, take note of the Issuer URL field from the Sign On tab.

Note: Banyan currently does not support Okta Custom URLs that aliases your Okta organization’s domain name to a subdomain that you own. An IssuerURL of the form example.okta.com or example.oktapreview.com will work; however, an aliased IssuerURL of the form login.example.com will not work.

3.2 Navigate to the General tab, and take note of the Client ID and Client Secret fields.

3.3 In Banyan, navigate from Settings > Identity and Access tab > End User tab.

  • Set your Identity Provider Protocol to OIDC
  • Set your User Identity Provider to OKTA.

3.4 Enter the Banyan TrustProvider app parameters from Okta:

  • Issuer URL (from Step 3.1)
  • Client ID (from Step 3.2)
  • Client Secret (from Step 3.2)

3.5 Select Update Identity Provider Config to save the settings.


Part 2: Configuring Okta for Banyan Device Registration

1. Create the Banyan Device Registration app in Okta

1.1 In Okta, navigate to Applications, and then select Add Application.

1.2 Select the OIDC sign-in method and the Web Application type.

1.3 Name the app integration Banyan Device Registration.

1.4 Enter the same Sign-in Redirect URI used in Step 1.4.

The format for the redirect URI is https://{ORGNAME}.trust.banyanops.com/v2/callback. Your ORGNAME can be found at the top right of the Banyan Command Center.

1.5 Assign the Banyan TrustProvider app to “Everyone”, and then Save.

This will allow all end users in your organization to register with the Banyan app when required.

2. Complete Device Registration Provider Config in Banyan

2.1 From the Banyan Device Registration app in Okta, take note of the Issuer URL field from the Sign On tab.

Note: Banyan currently does not support Okta Custom URLs that aliases your Okta organization’s domain name to a subdomain that you own. An IssuerURL of the form example.okta.com or example.oktapreview.com will work; however, an aliased IssuerURL of the form login.example.com will not work.

2.2 Navigate to the General tab, and take note of the Client ID and Client Secret fields.

2.3 In Banyan, navigate from Settings > TrustProvider Settings > Identity Provider.

2.4 Configure the Device Registration Provider Config with the parameters from Okta:

  • Set your Device IDP Protocol to OIDC
  • Set your Device IDP Name to OKTA.
  • Issuer URL (from Step 2.1)
  • Client ID (from Step 2.2)
  • Client Secret (from Step 2.2)

2.5 Select Update Device Registration Provider Config to save the settings.


Can’t find what you’re looking for?

We’re happy to help. Contact our team.