Overview

You can integrate Bridgecrew Cloud with Okta to enable single sign-on for your organization's users. In parallel, invite users and set their permissions from the User Management page.
The Okta/Bridgecrew SAML integration currently supports the following features:

  • SP-initiated SSO
  • Just-in-time provisioning

For SSO integration with Okta, see Add an Okta SAML application and Bridgecrew-Okta integration.

How to Intergrate

Step 1 - Setting Your Email Domain

  1. From Integrations Catalog, under Single Sign-On Authentication, select Okta.
1901
  1. Enter your allowed domain, then select Next.
1301
  1. Upload the metadata xml file and select Next.
1301

Step 2 - Mapping SSO Groups to Bridgecrew Roles

Bridgecrew can fetch Okta groups associated with a logged-in user and map them to relevant user roles and source permissions set for the user in the platform. In case a group was not mapped to a role and permitted sources, the user will be granted default permissions (defined in a later step).

Below are instructions on how to configure this mapping, first in Okta and then in Bridgecrew.

In Okta

  1. Under Applications, select Bridgecrew.
  2. Under SAML Settings, select Edit. An Edit SAML Integration window opens.
  3. Fill in the relevant format of Name and Value for:
    • User.email
    • user.firstName
    • user.lastName
  4. To enable sending group information to Bridgecrew, fill in the Group Attribute Statements section:
    • Name
    • Name format (optional)
    • Filter: select a filter to add to your group’s name from the dropdown menus. Only information on groups containing those filters will be mapped to Bridgecrew. For example, if you select Starts with and Admin, only groups whose name starts with the word “Admin” will have their information mapped to Bridgecrew.
702

In Bridgecrew

As mentioned above, each Okta group can be mapped to a Bridgecrew role and a list of permitted accounts.

  1. Under Map SSO Group to Roles, ensure the Enable Okta Groups - Bridgecrew roles mapping box is checked. This presents a list of all the groups you have created in Okta and enabled mapping them to Bridgecrew.
1120
  1. For each group, select a role from the left dropdown menu. For elaborate role definition, see Roles.
  2. For each group, from the right dropdown menu, select whether you want to grant the group permission for all existing and future sources / all existing sources / selected sources. If you choose the latter, a list you can manually select sources from will be presented.
947
  1. To manually add Okta groups to Bridgecrew's mapping logic, click Add a new group and enter the group's name, role and sources. Note that the group's name must be identical to its Okta name.
  2. After you finish granting roles and permissions to all groups, click Next.
    You are now redirected to Save default permissions. This allows you to set default permissions to unmapped groups (just-in-time provisioning).
  3. Select the default role and available sources for new users, then click Done.
1301

📘

Note

If you want to edit your Okta integration at any point, e.g., map new groups or change user roles, select Okta from the Integrations Catalog and click Edit.

1088