Configuring Reasons for Access with Okta.

This guide provides the steps required to configure SAML with Okta, and includes the following sections:

• Features
• Configuration Steps
• Known Issues/Troubleshooting

---

Features

The following SAML features are supported:

• IdP-initiated SSO

  SAML authentication initiated by the IdP (Okta).

• Just-In-Time provisioning

  When a new user is sent from Okta, a new user is created just before login.

• Grant type

  The used grant type is, passed from Okta.

---

Configuration Steps

1. Copy the Metadata URL from the Okta Admin Console, SAML 2.0 Sign on methods section.
2. Contact the reasons for access support team (support@fuselogic.nl) and request that they enable SAML 2.0 for your account. Include the "Metadata URL" value from the previous step. The reasons for access support team processes your request.
3. Create the grantType attribute in the Profile Editor.
   
   1. Variable name: grantType
   2. Enum:
      • Value: autoGranted
      • Value: authorizedRequest
      • Value: allowedRequest
   3. Required: Yes
   4. Attribute Type: Group
      
4. Add the grantType attribute to the SAML attributes.
   1. Click Edit and open Attributes (Optional). Note: This only shows up, after you click Edit
   2. Add attribute grantType with value appuser.grantType
      
5. We recommend using groups to assign users, to the Reasons for Access application. And to set the grant-type for the group.
   1. Create three Okta groups for each grant type: Auto Granted, Authorized Request, Allowed Request
      
   2. Assign the groups to the application with the correct grant type.
      
   3. Assign users to the correct groups.

---

Known Issues/Troubleshooting

• When you do not see all values make sure the grantType is set correctly.
• Only the IdP-initiated flow is supported. Based on your used IdP, you are sent to the correct customer environment.
• The SP-initiated flow is not supported.