Provisioning and deprovisioning Talon.One users in Okta
This tutorial describes how to set up provisioning and deprovisioning of Talon.One users with single sign-on (SSO) using Okta.
User provisioning and deprovisioning with single sign-on allows administrators to manage user access across multiple service providers using a single identity provider, simplifying the user management process and enhancing security.
In this tutorial, the service provider is Talon.One, and the supported identity provider is Okta. For more information about Okta, see the Okta integration documentation.
Prerequisites
- You have set up single sign-on with Okta in Talon.One.
- You have admin rights in Okta.
- You have admin rights in Talon.One.
Creating a Management API key in Talon.One
To enable Okta to communicate with Talon.One, in Talon.One, you need to create a Management API key:
-
On the leftmost menu, click Account > Tools > Management API keys.
-
Click Create Key.
-
In Key name, type a name to identify the key.
-
In Key expiration date, select a date.
-
In Allowed endpoints, select the
/v1/provisioning/okta
endpoint. -
Click Create Key.
-
Copy and save the generated API key in a secure location.
noteYou cannot display the API key after this step. If you lose the value, create a new API key.
Creating an event hook in Okta
Creating an event hook in Okta allows Talon.One to receive updates about user status changes.
To create an event hook:
- In the Okta Admin Console, go to Workflow > Event Hooks.
- Click Create Event Hook.
- In Name, enter a descriptive name for the event hook.
- In URL, enter
https://yourdeployment.talon.one/v1/provisioning/okta
, replacingyourdeployment
to match your Talon.One base URL. - In Authentication field, type
Authorization
. - In Authentication secret, type
ManagementKey-v1 {key}
, replacing{key}
with the API key you created in Talon.One. - In Subscribe to events, select the following events:
- User deleted
- User deactivated
- User assigned to app
- User unassigned from app
- Click Save & Continue.
- In the Verify Endpoint Ownership window, click Verify.
Setting up event hook filters in Okta
Event hook filters ensure that only relevant events trigger the event hook. Without the filters for the Talon.One application, users added to other applications in Okta will also be mistakenly added to Talon.One.
Prerequisites
- In a separate browser tab, you have opened the system log of the Talon.One application.
- In Settings > Features, you have enabled the Event Hook Filtering feature.
Setting up the event hook filters
To set up the event hook filters for the Talon.One application:
- In the Okta Admin Console, in Workflow > Event Hooks, open the event hook you created.
- In the Filters tab, click Edit.
- In User unassigned from app, click Apply filter and configure the following
parameters:
- For Field, from the dropdown, select
target.id
. - For Operator, ensure
eq
is selected. - For Value, copy and paste the
target.id
value (without the quotes) from the Talon.One application system log.
- For Field, from the dropdown, select
- Click Add Another and configure the following parameters:
- For Field, from the dropdown, select
target.type
. - For Operator, ensure
eq
is selected. - For Value, copy and paste the
target.type
value (without the quotes) from the Talon.One application system log.
- For Field, from the dropdown, select
- Repeat the previous two steps for the User assigned to app filter.
- Click Save.
Managing Talon.One users in Okta
After you've created the event hook and set up the filters for the Talon.One application, you can invite, disable, and delete Talon.One users directly from Okta.
Inviting Talon.One users
To invite a Talon.One user from Okta:
- In the Okta Admin Console, in the Talon.One application, click Assign > Assign to People.
- To the right of the user you want to invite, click Assign.
- In Username, type the name of the user you want displayed in Talon.One.
- Click Save & Go Back.
An invitation is sent to the user's email address with steps to sign in to Talon.One with their Okta account.
Disabling and deleting Talon.One users
- To disable a Talon.One user from Okta, unassign the user from the Talon.One application.
- To delete a Talon.One user from Okta, follow the steps to delete a user account.