Help CenterPlease Note: Requires an active SAML integration. For information on setting up a SAML integration in your ThreatLocker Portal, please refer to the following article: SAML Integration | ThreatLocker Help Center
Also requires an active SCIM integration. For information on setting up a SCIM integration in your ThreatLocker Portal, please refer to the following article: SCIM Integration for ThreatLocker Administrator Accounts | ThreatLocker Help Center
Creating an Application in Okta for ThreatLocker
First, sign in to your Okta portal. From here, using the left-hand side of the page, navigate to the 'Applications' dropdown and select 'Applications' from the list.
Now, within the 'Applications' page, select the 'Create App Integration' button.
Selecting this button will open a dialogue window titled 'Create a new app integration', which provides you with several sign-in methods. Select 'SAML 2.0' from the list of methods, then select 'Next' at the bottom of the dialogue window.
After this, you will be redirected to the 'Create SAML Integration' page. Within the 'General Settings' section, the only required field is to enter an 'App name'. You can also optionally add a logo or turn off the app visibility by selecting the provided checkbox. Once you have entered your information, select the 'Next' button.
Now, you will be directed to the 'Configure SAML' section. The first field is titled 'SAML Settings', which is where you will use resources from your already set up SAML Integration in ThreatLocker.
In the 'SAML Settings' section, insert the following information in the 'Single sign-on URL' field:
https://portalapi.*.threatlocker.com/portalApi/AuthenticationSAML/AssertionConsumerService
The wildcard (*) should be replaced by the instance of the organization for which this Okta integration is being set up.
To locate the instance for your organization, in your ThreatLocker portal, select the 'Help' button in the top-right corner of your page. Once selected, find the field titled 'ThreatLocker Access'. The alphanumeric character(s) located in parentheses should be placed in the 'Single sign-on URL' in place of the wildcard.
Example: https://portalapi.d.threatlocker.com
Additionally, you can find your full 'Single sign-on URL' by navigating to your SAML integration, selecting it to open the 'Edit SAML Integration' sidebar, and copying the information provided in the 'Assertion' field.
In the 'Audience URI (SP Entity ID)' field, insert the following information into the field.
https://threatlocker.com
The 'Default RelayState' can be configured as desired for your organization or left blank.
'Name ID format' should be EmailAddress.
'Application username' should be Email.
'Update application username on' can be configured as desired for your organization. In our testing, we selected Create and update.
In the section titled 'Preview the SAML assertion generated from the information above', you can select the button to view the XML that will be used in the SAML assertion to verify your inserted information.
Once you have verified that all information is correct, select the 'Next' button at the bottom of the page.
Now in the 'Feedback' section, you can fill out the questions before selecting 'Finish' at the bottom of the page.
Setting Up Your SCIM Integration
In Okta, ensure that you're on the page for the application you created above. If you are not already in it, navigate to the General tab.
In the App Settings section, select the 'Edit' button, then ensure that SCIM is selected in the Provisioning field.
Once selected, choose the 'Save' button at the bottom of the App Settings panel.
Next, at the top of the page, you should now see a tab called Provisioning. Navigate to this tab.
From this page, you will now see a section called SCIM Connection. Select the 'Edit' button on the right side of the panel to change these integration details.
From here, ensure that the following information is entered:
- SCIM connector base URL – This is the API URL from the SCIM integration in ThreatLocker.
- Unique identifier field for users – email
- Supported provisioning actions – Select the actions you want to grant for this integration. For this example, all supported provisioning actions were selected.
- Authentication Mode – From the dropdown list, select HTTP Header.
- Authorization – The token created from the Generate API Token button that is found in the SCIM Integration page on the ThreatLocker portal.
When all information has been entered, select the 'Test Connector Configuration' button to verify that there are no errors.
Once complete, and the correct information is entered, you should receive confirmation that the test was successful.
You can now close the confirmation pop-up and select the 'Save' button at the bottom of the page to save your provisioning settings.
Now, the page will reload, and you will see additional settings in the top-left corner. Select 'To App', then select the 'Edit' button.
From here, select the checkboxes to the right of the following to enable these options:
- Create Users
- Update User Attributes
- Deactivate Users
Once these options have been selected, choose the 'Save' button at the bottom.
Please Note: Do not make any changes to the SAML ThreatLocker Attribute Mappings section.
Once you have finished inserting information on the Provisions tab, navigate to the Push Groups tab.
From here, select the 'Push Groups' dropdown button. Use this to choose how to locate groups you wish to push to ThreatLocker via this Okta Application.
Once you have found and selected your desired groups, searching either by name or by rule, select the 'Save' button at the bottom of the page.
Once your desired groups have been pushed, they will appear in the Identity Provider Group dropdown on the Group Mapping tab of the SCIM integration in the ThreatLocker Portal.
Note: The initial sync could take up to an hour to complete.
Select the Identity Provider Group, then select the ThreatLocker User Role to be mapped to the group. Once done, select the '+' icon to the right of these fields to save it. Perform the same process for any other groups that are pushed and roles that are created in ThreatLocker.
Once you have finished adding this information on the Group Mapping tab, select the 'Save' button at the bottom of the page.
Important: Okta requires a value in the primaryPhone text field for all users being synced. Without it, there will be errors in Okta and the user may fail to sync.
Once the integration is configured, you will need to allow SSO through the Login Settings of your ThreatLocker Portal. For information on how to access Login Settings, please review the following article: