1.1 In Okta, navigate to Applications, and then select Create App Integration.

1.2 Select the OIDC sign-in method and the Web Application type.

1.3 Name the app integration CSE TrustProvider, and upload the CSE logo.

1.4 Enter the Sign-in Redirect URI

The format for the redirect URI is https://{ORGNAME}.trust.banyanops.com/v2/callback. Your ORGNAME can be found at the top right of the Command Center.

1.5 Assign the CSE TrustProvider app to “Everyone”, and then Save.

This will allow CSE to federate authentication of all users in your org to Okta.

2.1 Navigate from Sign On > OpenID Connect ID Token, and then select Edit.

2.2 Select Okta URL as the Issuer. Then, set the Group claims type to Filter, name the claim groups, and set the Matches regex to .*. Finally, select Save.

This updates the group claims, ensuring the token issued by Okta contains all of the user’s group information that will be used in Banyan policies.

3.1 From the CSE TrustProvider app in Okta, take note of the Issuer URL field from the Sign On tab.

Note: CSE currently does not support Okta Custom URLs that aliases your Okta organization’s domain name to a subdomain that you own. An IssuerURL of the form example.okta.com or example.oktapreview.com will work; however, an aliased IssuerURL of the form login.example.com will not work.

3.2 Navigate to the General tab, and take note of the Client ID and Client Secret fields.

3.3 In CSE, navigate from Settings > Identity and Access tab > End User tab.

• Set your Provider Name to Okta
• Ensure that your Provider Protocol is set to OIDC (this should be automatically selected).

3.4 Enter the CSE TrustProvider app parameters from Okta:

• Enter the Issuer URL (from Step 3.1)
• Enter the Client ID (from Step 3.2)
• Enter the Client Secret (from Step 3.2)

3.5 Save your user IDP configuration.

1.1 In Okta, navigate to Applications, and then select Add Application.

1.2 Select the OIDC sign-in method and the Web Application type.

1.3 Name the app integration CSE Device Registration.

1.4 Enter the same Sign-in Redirect URI used in Step 1.4.

The format for the redirect URI is https://{ORGNAME}.trust.banyanops.com/v2/callback. Your ORGNAME can be found at the top right of the Command Center.

1.5 Assign the CSE TrustProvider app to “Everyone”, and then Save.

This will allow all end users in your organization to register with the app when required.

2.1 From the CSE Device Registration app in Okta, take note of the Issuer URL field from the Sign On tab.

Note: CSE currently does not support Okta Custom URLs that aliases your Okta organization’s domain name to a subdomain that you own. An IssuerURL of the form example.okta.com or example.oktapreview.com will work; however, an aliased IssuerURL of the form login.example.com will not work.

2.2 Navigate to the General tab, and take note of the Client ID and Client Secret fields.

2.3 In CSE, navigate from Settings > Identity and Access > Device tab and select Edit.

2.4 Configure the Device Registration Provider Config with the parameters from Okta:

• Set your Provider Name to Okta
• Ensure that your Provider Protocol is set to OIDC (this should be automatically selected).
• Edit the Redirect URL to: https://{ORGNAME}.trust.banyanops.com/v2/callback, replacing {ORGNAME} with your own org name.
• Enter your Issuer URL (from Step 2.1)
• Enter your Client ID (from Step 2.2)
• Enter your Client Secret (from Step 2.2)

2.5 Save your device registration configuration.