REQUEST SINGLE-SIGN-ON (SSO) FOR A NEW APPLICATION THROUGH OKTA

SUMMARY

All new Colgate applications must support Okta unless an exemption is granted by the security team.

If you have a new application that supports authentication using SAML 2.0 or OAuth / OpenID Connect (OIDC) and you want to configure it to use Okta, follow the details.

Prerequisites:

  • All new application requests must be submitted no later than 30 days prior to the targeted go-live date.
  • If the application you want to configure is managed by a 3rd party vendor, you must have a technical resource with access to the application to perform the SSO configuration steps.
  • You will need some basic information about the application as requested in the Google form below.

Process:

  • Fill out the Okta SSO Service Request
  • A member of the Identity and Access Management (IAM) Team will reach out to you to schedule the configuration of your application in Okta

Additional Information & Considerations:

1) Username and profile information

What is the username used to identify users in your application? Is it the user's email address? Employee number? SAP ID? Is any other profile information (location, department, etc.) required to be sent to the application?

2) User provisioning & deprovisioning

How will new users receive accounts in your application (not Okta)? Similarly, how will they be deactivated when they no longer need access / change roles? In some cases Okta can integrate with an application to create and/or deactivate users, so that the process is automated.

User assignment & access requests

In Okta, access is only assigned to users who need it. Therefore even if your application is setup to use Okta, if a user is not assigned to the application in Okta, they will not be permitted to sign on. 

3) Okta supports several methods for assigning applications to users

  • Automated, based on HR criteria (preferred, where feasible) - Application access is assigned based on HR profile criteria (ex: Department matches GIT). Users remain active as long as they are active in the HR system
  • User Request- The user must request the application using the Add Apps button in Okta. In this case, approval can be:
  • Automatic - Approval is granted automatically when the user adds the application
  • Approval Required - The app must be approved by designated approver(s) from the business (app owner)
  • Application Admin - Designated application admin(s) from the business (app owner) are assigned access in Okta for the purpose of manually adding / removing new / old users

In all cases, management of the application and any user issues remains with the application team. As part of the application configuration you will need to identify an application owner who will be responsible for any issues related to the application. The security team is only responsible for the management of Okta, and any non-Okta inquiries will be forwarded to the application owner.

If there are any questions or concerns please contact iam_team@colpal.com.