Skip to main content
OpenEye Knowledge Base

OKTA Integration Instructions

Enable OKTA Integration
Add Identity Management Integration

As a web services Administrator:

  1. Go to Management > Integrations.

Management Integrations Dropdown.png

  1. Click the Add New Integration button. Add New Integration Button.png
  2. Select OKTA from the list of options.

OKTA Add Integration Popup.png

  1. Click NextNext button.png
  2. In the General Settings tab, the Enable OKTA Integration will already be checked by default. Leave it checked.

Okta Manage Integrations Enable.png

  1. Select the Identity Management tab.
  2. Check Enable Third Party Authentication. You should see several from fields and values appear. Keep this page open on a broswer tab while you perform the next step.

Integrations Identity Management.png

NOTE: Clicking the Generate SCIM API Token button will automatically create a new API Token. If the old token is already being used, it will fail to function, and the new token will need to be entered. See the Enable SCIM for Automatic Provisioning section for more information.

Generate SCIM API Token.png

NOTE: You'll be alternating between OWS and OKTA in order to perform this integration.

Add OKTA Application for OWS Access (OKTA)
  1. As an OKTA user with at least Application Administrator permissions, go to Applications, then select Applications.

Okta Menu Applications.png

  1. Select Browse App Catalog.

Okta Browse App Catalog.png

  1. Search for OpenEye and select OpenEye Web Services.

Okta Browse App Integration Catalog.png


  1. Click Add.

Okta Add OpenEye.png

  1. Label your app if desired and click Done.

Okta Label Application.png

  1. Click on Sign On then click Edit.

Okta Sign In and Edit.png

  1. Under Advanced Sign-On Settings copy the Single sign on URL (ACS URL) and Audience URI (SP Entity ID) from the OWS Identity Management page to the fields in Okta.

Okta Advance Sign-on Settings.png

Okta SSO and URI from OE.png

  1. Save the OKTA application.
  2. Scroll down to SAML Setup on the right and click on View SAML setup instructions.

Okta SAML setup instructions.png

  1. Copy over the Identity Provider metadata on this page to the Identity Provider Metadata field on OWS and Save.

Okta Identity Provider Metadata.png

  1. Add users by going to Assignments and assigning any desired users.

Okta Assignments.png

12. Select Push Groups and add the group names to be pushed to OWS.


Note: If you try to push a group named administrator, it will create a new group called administrator in OWS with blank permissions. Okta doesn’t push users into our built-in groups, you have to setup and use custom groups

Enable SCIM for Automatic Provisioning
  1. In OKTA, go to Provisioning and click Enable API Integration.

Okta Provisioning.png

  1. Set the Base URL to
  2. Set the API token to the value shown under API Token (SCIM v2 API) in OWS.

API Token in OWS.png

  1. Save settings.
  2. Select To App and check Create Users, Update User Attributes and Deactivate Users.

Okta Provisioning.png

NOTE: Whenever a new user is added to a user group with an OKTA Integration associated with it, a welcome email will be sent to that user.

Okta SSO email.png

NOTE: When changing the email address associated with a user in OKTA it must be done at this location: Directory > Person > Applications tab, and edit the specific application. Or within the application itself you can modify Users. If the change is done at Directory > Person > Profile the updated email address is not sent to OWS.

  • Was this article helpful?