Before you start

The person going through the setup process below needs to be an Okta administrator with permission to create new apps in the Okta admin console.

These instructions are for Employee Training App user record provisioning + authentication. If you are looking to setup SAML for the Adaptive Admin Portal (without SCIM provisioning) you can view those instructions here.

Create Okta SAML 2.0 App Integration

As an Okta administrator, log into the Okta admin console (e.g. https://dundermifflin.okta.com/) and navigate to the ‘Applications’ tab (under the Applications section) in the left hand menu.

Click "Create App Integration" and Check the "SAML 2.0" radio button, then click "Next"

On Step 1 (‘General Settings’), set the following values before clicking ‘Next’:

App Name: Adaptive Employee Training SAML with SCIM
App logo (optional): Adaptive logo
App visibility: Choose if you want to display to users or not

SAML Setup

Note: If you've already set up SCIM provisioning without SAML and are trying to add it now, you can get to this page by navigating to your existing Adaptive SCIM app from the Okta Application menu and clicking the 'General' option under the application name. From there, scroll to the 'SAML section and click 'Edit' which will put you into this flow.

If you do not want to enable SAML as part of your Okta SCIM setup, please go to the FAQ section of this page for instructions.

'Configure' SAML step (step 2)

1. In your Adaptive Admin account, navigate to the Settings page and select the 'Authentication' tab. Scroll to the Employee Training App section of the page and select the '+ Add Option' button to begin the SAML setup process.

Reminder: These instructions enable authentication to our Employee Application at https://app.adaptivesecurity.com/login

2. Complete the following steps:

Copy the Reply URL (Assertion Consumer Service URL) from Adaptive and enter that into the Sign-on URL field in Okta
Copy the SP Entity ID URL from Adaptive and enter that into the Audience URI (SP Entity ID) field in Okta

3. Scroll to the bottom of the page and click 'Next'. On the following step, click 'Finish'

4. Once you've clicked finish you will be taken to the 'Sign On' section. Complete the following steps:

In the SAML 2.0 section, click 'More Details' to expand the section

Copy the 'Sign on URL' from Okta and paste that into the Login URL field in Adaptive
Copy the 'Issuer' URL from Okta and past that into the IDP Entity ID field in Adaptive
Download the 'Signing Certificate' from Okta and open that on your computer. Paste the value into the Verification Certificate field in Adaptive

When copying the cert, INCLUDE the ----BEGIN CERTIFICATE----- and ----END CERTIFICATE---- when pasting into the Verification Certificate field

Press 'Save' in the bottom right hand corner of the Adaptive SAML setup modal

Enable SCIM provisioning

In Adaptive

1. In your Adaptive admin portal, navigate to the Employees Tab and select 'Sources'. In the Primary Identity Source section, click 'Choose Primary Identity Source'

2. Select 'Okta SCIM' from the SCIM section and click 'Confirm' in the bottom right hand corner. On the next step, click 'Connect'

3. This will then take you to the setup step of the wizard, which is where you will generate your SCIM token. After clicking 'Generate Token', copy the URL and Token from Step 5 as you'll need to enter those into Okta in the next section.

In Okta

1. Below the App name in the center panel, select "General" and click the "Edit" option for the ‘App Settings’ section. Click the radio button next to SCIM in the provisioning section or check the "Enable SCIM provisioning" box and "Save"

2. Click the "Provisioning" tab, to the right of the "Sign On" header, click "Edit". Set the following fields before clicking ‘Save’:

SCIM connector base URL: https://api.adaptivesecurity.com/v1/
Unique identifier field for users: type in email
Supported provisioning actions: check ‘Push New Users’, ‘Push Profile Updates’, and ‘Push Groups’
Authentication Mode: select ‘HTTP Header’
Authorization Bearer Token: Token from Adaptive that was generated in a previous step

3. Click ‘Test Connector Configuration’, you should see ‘Connector configured successfully’.

Click 'Save'

3. Back on the 'Provisioning' tab, click "Edit" Next to the ‘Provisioning to App’ section set the following fields before clicking ‘Save’:

Create Users: check ‘Enable’
Update User Attributes: check ‘Enable’
Deactivate Users: check 'Enable’

Assign People / Groups

1. Go to the "Assignments" Tab

Click "Assign" and assign the app to all the people and groups you'd like to be able to send Training and Phishing simulation emails to from Adaptive

Do not make any changes to the ‘Attributes’ step at this time and ‘Save and Go Back’ to assign additional groups.

[Optional] Push Groups

After you've assigned users to the app in the previous section, we also allow you to 'Push Groups' if you want to make Group information available for targeting your employees in Adaptive (via our segmentation tools).

Before starting we suggest reviewing the Okta documentation on the requirements for 'Push Groups'

1. After reviewing the above documentation, you can navigate to the 'Push Groups' tab of the app you are configuring and choose to find Groups by name or by rule.

2. Once you find the group you want to push, Okta will check to see if we have a group that exists already. If so, you will see a 'Link Group' option. Otherwise, the group will say 'Create Group'. Once done, press Save.

3. If the Group push works successfully you will see the group appear as 'Active' on the 'Push Groups' page. If you run into any issues, it may be related to the restrictions outlined in the Okta article above and we're happy to help if you reach out to [email protected]

4. View our help article about how to leverage Okta Group data in the Adaptive Group Builder.

Force Sync Data For Assigned People / Groups

Once the app is assigned, go back to the "Provisioning" tab and click on "Force Sync"

Okta typically starts syncing with Adaptive after a few minutes, and may take a few hours to complete depending on the number of employee records.

[Optional] Mapping Additional Values to Adaptive via SCIM

If you have a Start Date attribute you want to map to Adaptive

Okta does not have a system field for a users start date (i.e. their first day of employment) but many customers choose to add one to the User (default) profile in Okta. If you've added a "custom" attribute -- the below steps will walk you through adding that to the Adaptive SCIM integration.

1. In Okta, navigate to 'Directory' -> 'Profile Editor' and select the Adaptive app you created via the above steps.

2. Click '+ Add Attribute' and populate the following fields:

Data Type: string
Display Name: Start Date
Variable Name: startDate
External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Scroll to the bottom and press 'Save'

3. Back on the Profile Editor view for you Adaptive app, click 'Mappings'. Scroll to find your Start Date attribute name in the right side, grey column (Okta User User Profile). The drop down next to it in the left side, white column (appuser) should be empty.

4. Open up the dropdown next to your start date attribute and select the attribute you created (startDate) in step 2 above.

5. Click 'Save Mappings' (if you also see an option to 'Apply Updates' after clicking save, you should click the 'Apply Updates' button).

6. Scroll to the top of the modal and select the other tab (mappings from Okta User to {Your Adaptive Okta SCIM App Name}. Set the mapping of your Okta user attribute name to the attribute you created in Step 2.

7. Click 'Save Mappings' (if you also see an option to 'Apply Updates' after clicking save, you should click the 'Apply Updates' button).

8. Navigate back to the Applications -> Applications tab and select the Adaptive app you've created. On the provisioning tab, you can scroll to the bottom and now see your new mapping reflected.

9. You MUST trigger a 'Force Sync' action in order for the data to be sent to Adaptive after all of the above steps are complete.

If you have a Manager Email attribute you want to map to Adaptive

Customers tend to store Manager Email value differently in Okta and often those are not part of the default SCIM configuration. If you have an attribute that specifies the email address for an employee's manager -- the below steps will walk you through adding that to the Adaptive SCIM integration.

1. In Okta, navigate to 'Directory' -> 'Profile Editor' and select the Adaptive app you created via the above steps.

2. Click '+ Add Attribute' and populate the following fields:

Data Type: string
Display Name: Manager Email
Variable Name: managerEmail
External namespace: urn:ietf:params:scim:schemas:extension:enterprise:2.0:User

Press save

3. Back on the Profile Editor view for you Adaptive app, click 'Mappings'. Scroll to find your Manager Email attribute name in the right side, grey column (Okta User User Profile). The drop down next to it in the left side, white column (appuser) should be empty.

4. Open up the dropdown next to your manager email attribute and select the attribute you created in step 2 (managerEmail) above

5. Click 'Save Mappings' (if you also see an option to 'Apply Updates' after clicking save, you should click the 'Apply Updates' button).

7. Click 'Save Mappings' (if you also see an option to 'Apply Updates' after clicking save, you should click the 'Apply Updates' button).

8. Navigate back to the Applications -> Applications tab and select the Adaptive app you've created. On the provisioning tab, select 'To app' and scroll to the bottom. You should see the mapping reflected.

Scroll back to the top of the page and click 'Force Sync'

9. You MUST trigger a 'Force Sync' action in order for the data to be sent to Adaptive after all of the above steps are complete.

FAQ

How often does Adaptive use the integration to refresh employee records?

Okta will push data on user creation and user updates. It is always possible to ‘Force Sync’ and update from Okta, but Adaptive has no ability to kick off a refresh of data on your behalf (without access to your Okta admin console)

What do I enter during set up if I DO NOT want to enable SAML as part of my Okta SCIM setup?

On the ‘Configure SAML’ steps, set the following values before clicking ‘Next’.

Sign sign-on URL: https://admin.adaptivesecurity.com/sso/login
Audience URI: https://admin.adaptivesecurity.com/sso/login
Name ID format: select ‘EmailAddress’
Application username: select ‘Email’
Update application user name on: ‘Create and Update’

On the last step, Click "Finish".

Why don't I see my Okta Groups on the Groups tab in Adaptive after enabling Push Groups?

After pushing group data, you can leverage that in your Adaptive Groups by following these steps.

What do I do if I don’t see users in Adaptive that I believe I Assigned in Okta?

It is possible to check to see if there are any issues by viewing the ‘Assignments’ tab of your Okta SCIM application. If you share these with us we are happy to take a look. If you don’t see any errors and still have questions let us know!

Okta SCIM User Provisioning and SAML Authentication

​Before you start