Introduction

By the way, I have a question for everyone reading this article. Where is the first place to store employee information in enterprise identity management? Could it be AD?

I think that HR DB is common in many companies. In other words, if the HR DB and IDaaS can be directly linked, information such as employee joining/leaving and department transfers can be quickly reflected from the HR DB to IDaaS, and from IDaaS to SaaS, making it possible to smoothly manage the ID lifecycle and access rights to SaaS.

Okta provides a template for the cloud personnel and labor software "SmartHR" in the Okta Integration Network (OIN), which is a template for provisioning linkage and single sign-on (SSO), so it is very easy to link with SmartHR as an ID source.

This time, we linked Okta and SmartHR and actually set up SSO and provisioning. With this, you can automate account management from SmartHR → Okta → SaaS and realize SSO to SmartHR, so please take a look to the end.

SmartHR → Okta → SaaS provisioning

In this article, SmartHR is used as the ID source, and provisioning is performed with the following configuration.

Provisioning settings for Okta-SmartHR

Okta has a template for linking with SaaS called OIN, so we will specify OIN for SmartHR linking and set it up.

1. Select the SmartHR template on the Okta admin screen

2. Specify the SmartHR app name and subdomain

3. Allow API to enable provisioning with SmartHR

• Click Configure API Integration

• Paste the SmartHR Auth Token to the API Token in the SmartHR app settings on Okta and click Save

4. Configure SCIM settings for each account in SmartHR

• Setting items (attributes) for provisioning settings

• Enable SCIM sync

5. Set the format of Okta Username when creating a user from SmartHR → Okta
* In the case of the following settings, the format is to add @test.local after givenName (name). Okta allows you to freely define the Username format like this.

6. Import users from SmartHR to Okta and create users on Okta

• Click Import now
  *In addition to manual import, it is also possible to import periodically according to a predefined schedule.

• Select the user you want to create on Okta
  *Similar to the import above, it is also possible to create automatically according to the settings.

• Make sure the selected user is created on Okta and added to the SmartHR app on Okta

SmartHR → Okta → SaaS provisioning settings

In this article, we will provision SmartHR → Okta → Google Workspace on the assumption that Google Workspace and Okta are linked.

1. Add the user provisioned from SmartHR to Okta to the Google Workspace app on Okta, and provision the user to the linked Google Workspace

2. Change the user information (department) with SmartHR (assuming that the employee has changed departments)

3. As shown in the figure above, confirm that changes in user information in SmartHR are automatically linked to Google Workspace through Okta.

SSO integration of Okta-SmartHR

1. Enable SAML SSO for SmartHR

2. Paste the values described in the SSO integration instructions (SAML Setup Instructions) provided on Okta into SmartHR's SAML SSO settings.

3. After clicking "Edit SAML SSO account", enter the Username of the account on Okta and check "Enable SSO"
*In the following, it is activated for each account, but it is also possible to activate it collectively using a CSV file.

Summary

In this blog, we introduced SmartHR → Okta → SaaS provisioning linkage with SmartHR as the ID source and Okta-SmartHR SSO linkage.
With Okta, you can also synchronize users from ID sources other than SmartHR introduced this time (Active Directory, CSV Directory, etc.) and link them to SaaS.
This time, we introduced SmartHR integration using OIN, but next time, we will introduce flexible integration using Okta Workflows.

If you are interested or have any other inquiries about Okta, please contact us.