This guide describes how to set up Okta to provision and manage your Cmd users, or to enable SSO on Cmd-enabled servers.
Prerequisites
A Cmd global administrator account.
To manage users via SCIM, your Okta plan must include lifecycle management.
Supported Okta features
This integration supports the following Okta features:
Create users,
Update user attributes,
Deactivate users,
Push groups.
Table of contents
Cmd setup
In the Cmd web app, click the current project’s name in the top right to open the drop-down menu.
Select Project & app settings.
From the left-side menu, select Security.
Scroll to the bottom of the page to find the
SCIMsection, and check Enable SCIM.Click Save at the bottom of the page to generate a secret SCIM token, then copy the token and save it for later:
Okta setup
In the Okta admin panel, select Applications:
2. Click Add Application:
3. In the 'Add Application' page, search for “Cmd”, and click Add:
4. You can update the name of the application if you wish, then click Done:
5. Select the 'Provisioning' tab, and click Configure API Integration:
6. Check the box next to 'Enable API Integration'.
7. In the 'API Token' field, enter the token you copied from the Cmd web app, and
click Test API Credentials to validate the integration. A message reporting
success should appear:
8. Click Save, then To App in the settings menu on the left:
10. Click Edit and enable 'Create Users', 'Update User Attributes' and 'Deactivate
Users'.
11. Click Save. Your new app is ready.
How to provision users and user groups
The app allows you to create Cmd accounts for Okta users.
Cmd accounts created using SCIM start with server operator privileges. To grant more privileges, admins can edit accounts in the Cmd web app.
Individual users
To make Cmd accounts for Okta users, follow Okta's instructions for how to assign an app to your desired users.
After the app is assigned to a user, Cmd makes them an account.
You can see the results on the 'users & roles' settings page.
Groups of users
You can use Okta to add groups of users to Cmd, or to assign them roles.
Re-authenticate
If you had a Cmd-Okta integration before some group features were supported, you must re-authenticate to Cmd's SCIM API before using them. Follow these steps:
Open your Okta-Cmd app, and go to the 'Provisioning' tab.
Under 'SETTINGS', go to 'Integration'.
Click Edit, then Test API Credentials, then Save.
How to add groups of new users to Cmd:
To make Cmd accounts for a group of Okta users, follow Okta's instructions for how to assign your Cmd-Okta app to the desired group of users.
After the app is assigned to a group, Cmd will make accounts for the group's members.
How to assign roles to groups of existing Cmd users:
You can use Okta to assign roles to existing Cmd accounts. Roles enable you to define different rules for different groups of users.
To add a role, use Okta's Push Groups feature to push the desired group to your Cmd-Okta app.
The new Cmd user role will have the same name as the Okta user group:
To assign a user multiple roles, add them to multiple Okta user groups with the desired Cmd roles as their group names, and Group Push all the groups to Cmd.
Confirm that the new users appear on the Cmd web app in the 'Users & roles' settings page.
You can also read an example of how to use Cmd roles to apply different rules to different groups.
How to enable Okta SSO
Follow these steps to enable Cmd users to log in to the Cmd web app with Okta SSO.
Go to the 'Sign On' section of the Cmd app within Okta.
Click Edit on the top right.
Change the 'Application username format' to 'Email':
4. Click Save.
5. Click View Setup Instructions. This will open a document with additional
configuration steps. Complete those steps to finish enabling SSO. The document
also contains SSO instructions for end users.
Related resources
To learn more about third-party integrations, including other SSO providers, see the integrations overview.