Skip to main content
All CollectionsAdministrationEnterprise Authentication
Enterprise Authentication -OIDC Sync Groups and Roles
Enterprise Authentication -OIDC Sync Groups and Roles

Sync OIDC groups and roles with Astrato

Astrato Support avatar
Written by Astrato Support
Updated over a month ago

Introduction

This article shows how to sync Open ID Connect (OIDC) groups and roles with the Astrato enterprise authentication function.

Syncing groups and roles helps centralize security in OIDC and manage all access to data and features in Astrato from OIDC.

We're using OKTA as an example.

Contents

Setup Information

The setup process has several stages, so we've listed them here. In the instructions for each stage, we've included a Checklist listing any information you need to enter and any information you'll need to collect to complete the setup.

  • OKTA - You'll need to set up your OKTA workspace using the admin console app integration wizard, and generate a Client ID and Client secret to add in Astrato.

  • Astrato—The Astrato setup is managed in the Open ID Connect Setup page in the Enterprise Authentication section of the Administration pages. You'll need to enter a Connection Name, Issuer URL, Client ID, Client Secret, and Identity provider domain.

Back to Top

OKTA Settings

Checklist

Roles Configuration

  1. In OKTA, navigate to Directory ➝ Profile Editor ➝ select profile (Okta)

  2. In the profile editor, select Add attribute

  3. Enter a display name and variable name, check the enum checkbox, and provide values as below.

    warning: display name and value needs to be in line with the names of Astrato roles

    • administrator

    • designer

    • viewer

    • creator

      Save

  4. Navigate to Directory ➝ people ➝ select user.

  5. Click on Edit, scroll down, and select an Astrato role for the user, click Save.

  6. Navigate to Security->API, select a server, and click Edit.

  7. Open the Claims tab and insert these details:

    1. Name: astrato_role

    2. Include in token type: ID Token, Always

    3. Value type: Expression

    4. Value: user.astrato_role

    5. Include in: Any scope

    6. Save

  8. Validate the configuration by navigating to the Token Preview tab

    select OAuth/OIDC client

    set grant type to Authorization Code

    select a user with an astrato role

    scope: openID
    The Token should include an Astrato Role similar to the token below

Groups Configuration

  1. Navigate to Directroy->Groups, create a new group, and users to the group
    * If you want to sync only part of the groups with Astrato, use the same prefix for all groups' names.

  2. Navigate to Security->API->select the authorization server you used in the roles phase.

  3. Select the Claims tab and add a new claim. Fill in the claim with the details below:
    Name: groups

    Include in token type: ID Token, Always

    Value type: Groups

    Include in The following scopes- openid

    Save

  4. Test the token. The token should include the groups now.

Back to Top

Astrato Settings

  1. Navigate to Administration->Enterprise Connection -> Login connection

  2. Open an existing OKTA connection or define a new connection following this article.

  3. Check the boxes to sync the groups and roles in connection with editing.
    For the roles sync, add the role attribute name from OKTA.
    For the group sync, add the prefix for the groups you want to sync. If the prefix is empty, all groups from OKTA will be synced with Astrato.

  4. Save.

  5. Select the Controlled Access option that suits your organization best in Assignments, then click Save.

Back to Top

Related Articles
Enterprise Authentication
Enterprise Authentication - Google Workspace Setup
Enterprise Authentication - Open ID Connect Setup
Passthrough Authentication - Snowflake
Enabling SCIM (Active Directory) for Astrato
Did this answer your question?