SSO Setup with Okta in Zephyr

In this tutorial, you’ll learn how to integrate Zephyr Enterprise with Okta, which will provide the following benefits:

  • You can control user access to Zephyr Enterprise directly from Okta.

  • You can enable your users to be automatically signed-in to Zephyr Enterprise with their Okta accounts.

  • You can manage your accounts in one central location - the Okta portal.

Prerequisites

To configure Okta integration with Zephyr Enterprise, you need an Okta subscription.

Zephyr Enterprise supports IDP initiated SSO only

Configure OKTA single sign-on

1. Register at OKTA (purchase a licenses if you don't have one) and login to OKTA.

  • Enter your username and password.

Username : XXX
Password : XXX

2. After logging in the Okta portal, click on Admin page on the right side of the page.

3. Click on Add Applications and then click on the Create New App button.

4. Select SAML 2.0 in the Create a New Application Integration window and then click on the Create button.

5. In the General Settings, provide an App name, choose an App logo (if required) and then select the available options as you see fit. Click the Next button.

6. In the SAML Settings, provide the the Single sign-on URL, Audience URL and Application username.

For the Single sign-on URL and Audience URL, copy it from the Zephyr application.

Administration → UserAuthentication System → Single Sign-On Authentication system → Configuration Info

For the Application username, select either OKTA username or Email ID for how you want to validate users with Zephyr.

7. Fill in the required fields and any optional fields. After filling in the fields, click on the Next button.

8. Click on the Finish button.

9. On the next page, click on the View Setup Instructions button. Copy the same URLs and download the certificate (applications from the header menu at Okta, select Application and then select sign-on).

10. Copy the Identity Provider Single Single Sign-On URL (IDP SSO URL), the Identity Provider Issuer ID and download the certificate. Configure these within the Zephyr Connection Info section when setting up your SSO.

Administration → Authentication → Single Sign-On → Connection Info

Create Users and Assign People to Zephyr in Okta

1. Click on Directory and then click on People.

2. Click on the Add Person button.

3. After creating assigned users for the Zephyr application, the users will receive an email from Okta asking them to reset their password. The user can then update their password from the email link. After resetting the password, the user will be able to login.

Setup User Authentication to SSO in Zephyr

1. Log in as an administrator, navigate to Administration > Authentication, and select Single Sign-On (SSO).

2. Specify the Identity Provider URL and Identity Provider Issuer ID you have copied from Okta earlier and click Save.

The Test button allows you to check the specified URL. Clicking the button opens a new tab. If the login page of your SSO provider is opened in the tab, you have specified the correct URL.

3. Click User Setup in the pane on the right and create the same users as those in Okta with the Expire Credentials unchecked, and then assign the users to your projects:

4. Log out from the admin account and try to log in to Zephyr again. Th SSO login page will open.

5. On the SSO page, log in with your Okta credentials. After entering in the correct credentials, it will log you into Zephyr directly.

When SSO is setup and enabled, the login flow will redirect you straight to the SSO login page and after entering in the correct credentials, it will directly log you into Zephyr. This minimizes the amount of steps to get logged into Zephyr.

Auto Provisioning

You can use the Auto Provisioning feature to automatically create a user account for any new user who logs in to Zephyr via SSO. The user accounts created this way have only the Dashboard User role and they do not consume a license.

To enable Auto Provisioning, navigate to Administration > Authentication, select Single Sign-On from the drop-down menu in the Authentication System section and enable auto provisioning:

To enable Zephyr to create user accounts automatically, you also need to specify the SAML attributes you have in your external SSO system in the fields of the Attribute Mapping section:

Here you need to specify the user’s first name, last name and email. Zephyr can also get a list of user groups from your SAML identity provider and add users to the corresponding groups in Zephyr. This can be done if you specify the name of a SAML attribute containing a list of groups in the Group field. Note that the groups must be created in Zephyr in advance, and they must have the same names as those in the identity provider. If you have several attributes, separate them with commas.