Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Integrate Apono with your Identity Provider to manage the access of your users and groups
On-Demand Permissions- Managing organizational users’ on demand access permissions to your cloud services or data repositories at granular level.
Extended SSO- Extend organizational authentication to infrastructure, applications and data repositories where you don’t have SSO.
Approval Workflows- Creating approval or trigger-based Access Flows allowing organizational user groups to receive the permissions they need.
Review User Access Permissions- View each organizational users access permissions across the integrated applications and data sources.
How to manage on-demand, temporary membership to JumpCloud groups
If your organization manages access to apps and accounts using IdP groups, for example by adding users to shift groups, you can now create Access Flow to control who can request temporary group membership.
Upon approved request, Apono will add users to groups and remove them after the access time is up.
JumpCloud - Super Admin privilege to the Okta Admin Console
Cloud Provider/K8S - Create secret privileges in cloud provider or Kubernetes secrets manager
JumpCloud admin API Key
Log in to your JumpCloud organization with the Apono dedicated admin user
Click on your Profile (icon with your initials)
In the menu click My API Key
Copy the admin API Key
Go to your cloud provider secret manager and create a new secret
In the secret content store the following fields: Key: token Value: The JumpCloud admin API token you copied in the previous step
Tag the created secret with the following tag: Key: apono-connector-read Value: true
Store the newly created secret
You can also use an existing secret you've already created for Apono
Go to the Apono Catalog
Under Resources, find the JumpCloud integration
Click the integration
Give the integration a name
In Select Connector, choose a connector from the list of connectors or add a new connector
In the Secret Store section, choose the secret store location you created in step 2. You can also use an existing secret you've already created for Apono
Click Connect
That's it!
Enable your organization to use single sign-on to log in to Apono
Implementing Okta Single Sign-On provides seamless and secure authentication across various applications. Centralized identity management reduces password fatigue and increases overall security for your organization.
This guide shows you how to enable SSO for logging in to Apono.
| Item | Description |
|---|---|
Use the following resources as needed:
Okta’s documentation for additional context about creating an integration
SAML field reference for descriptions of the following integration settings
Follow these steps to create a SAML integration and enable Okta SSO:
From the side navigation in the Okta Admin Console, click Applications > Applications. The Applications page opens.
Click Create App Integration. The Create a new app integration popup window appears.
Select SAML 2.0.
Click Next. The General Settings tab appears.
Enter an App name for the integration.
Click Next. The Configure SAML tab appears.
In the Single sign-on URL field, enter https://login.apono.io/auth/saml/callback.
In the Audience URI (SP Entity ID) field, enter Apono.
From the Name ID format dropdown menu, select EmailAddress.
From the Application username dropdown menu, select Okta username.
Under Group Attribute Statements (optional), map your Okta groups to Apono roles by defining a group attribute statement.
| Field | Value |
|---|---|
Click Next. The Feedback tab appears.
Click Finish. The new application appears.
On the Sign On tab, under SAML Signing Certificates, click Actions > View IdP metadata for the active certificate. The XML file appears in a new tab.
Save the .xml file to your device.
Send the following information to Apono support:
The downloaded .xml file
Domains that your organization allows to log in to Apono
When your Okta SSO integration is available, you will be able to use SSO to log into Apono with your company domain.
Create an integration to manage access to your Google Workspace
Google Workspace (Gsuite) provides a unified platform for communication, file sharing, and collaboration within an organization.
Through this integration, Apono automatically syncs your organizational users and groups when integrating with an organizational identity provider.
| Item | Description |
|---|---|
Follow these steps to complete the integration:
On the Catalog tab, click Google Workspace. The Add Integration page appears.
(Optional) Enter the Custom Manager Field Name.
By specifying the manager attribute name in this field, Apono can locate a user's manager within Google Workspace. If the attribute name is not specified, Apono uses Google Workspace's predefined field, Manager's Email in the Employee information section of the user's profile.
You can also use custom attributes to specify a user's manager.
The manager attribute must contain either the manager's email address or Google Workspace user ID.
Click Connect. The Google sign in prompts appears.
Follow the sign in prompts.
Be sure that the account you connect has the following admin API privileges:
Users: Read
Groups: Read
On the Apono wants additional access to your Google Account page, click Select all.
Click Continue.
Create an integration to manage access for sets of users in an Azure AD instance
Azure Active Directory (Azure AD) Groups, now part of Microsoft Entra ID, allow administrators to organize users, devices, and other Azure AD objects into collections. By using Azure AD Groups, administrators can efficiently manage settings and control access to various resources for different sets of users.
Through this integration, Apono helps you securely manage access for sets of users in your Azure AD instance.
| Item | Description |
|---|
You can also use the steps below to integrate with Apono using Terraform.
In step 9, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the tab, click Azure AD Groups. The Connect Integration page appears.
Under Discovery, select one or multiple resource types for Apono to discover in all instances of the environment.
Click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating an Apono connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
| Setting | Description |
|---|
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
| Setting | Description |
|---|
Click Confirm.
Apono's integration syncs your JumpCloud organization's groups and users, so you can easily define access policies for them.
log in to JumpCloud as an Admin User with read-only permission. See for information about creating one.
Have a JumpCloud admin API Key ready.
Log into your JumpCloud organization with the Apono dedicated admin user
Click on your Profile (icon with your initials)
On the menu click on -> My API Key
Copy admin API Key
Log into Apono
Go to the -> IDP integrations section
Click on Connect JumpCloud
Specify the integrations details:
Integration name – type the name of the integration When building an Access Flow you will reference this name
Admin API Key – paste the Admin's API key
Custom Manager Field Name - Specify the custom attribute name for Manager context. For more information go to the section.
You should notice the new JumpCloud integration in few seconds
User doesn't have the right privileges - creating a new admin user maybe will need a new company's email.
Integrate Microsoft Entra ID with Apono to manage access for users and groups
Microsoft Entra Identity, formerly known as Azure AD, is a comprehensive identity and access management service provided by Microsoft. It facilitates secure user authentication and authorization across various applications and platforms.
Through this integration, Apono helps you securely manage the access of your users.
| Item | Description |
|---|
Follow these steps to complete this integration:
Click Connect. The Microsoft connection screen appears.
Click Accept to grant Apono access to your Microsoft Entra ID instance.
Refer to for more details about the schema definition.
Now that you have completed this integration, you can that grant permission to your Azure AD instance.
The is used by Apono to determine how it finds each user's manager within the JumpCloud system. By specifying the attribute name, Apono can accurately locate the manager associated with each user. If the attribute name is not specified, Apono will default to using JumpCloud's predefined attribute, which is manager.If you prefer not to use JumpCloud's default method, you have the option to utilize Custom Attributes in JumpCloud to specify the user manager.It is important to note that the manager attribute must contain either the manager's email address or their ID (JumpCloud user ID).For more information about the manager attribute, see , along with for general information about custom attributes.
With a successful connection to JumpCloud, you can now for the resource.
Refer to for information about errors that may occur.
On the tab, click Azure AD. The Add Integration page appears.
Now that you have completed this integration, you can that grant access to members of your Microsoft Entra ID instance.
Okta developer account
Account with administrative access to the Okta platform
Name
group
Filter
Starts with Enter the name of the group in the filter text field
Apono Connector |
Integration Name | Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow |
Custom Access Details | (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview. |
Integration Owner |
NOTE: When Resource Owner is defined, an Integration Owner must be defined. |
Resource Owner |
NOTE: When this setting is defined, an Integration Owner must also be defined. |
How to integrate Onelogin with Apono to manage access of users and groups
OneLogin is a cloud-based identity and access management (IAM) provider that specializes in single sign-on (SSO) and multi-factor authentication (MFA) solutions. These services are scalable, secure, and easily integrated into various business environments. OneLogin helps organizations manage and secure real-time user access to applications and data across different devices and environments.
Apono's integration with OneLogin provides a seamless way to synchronize your OneLogin users and groups with Apono. This allows you to easily define policies for existing users and groups within Apono.
DevOps creating Access Flows
Professionals in the organization who manage the OneLogin identity provider
Apono account with Admin privileges
OneLogin account with Super User privileges. Learn more about OneLogin privileges in this OneLogin knowledge base article
Follow these steps to integrate Apono with OneLogin:
Log into your OneLogin organization using an admin account.
Click the Administration button in the top-right corner of the Admin Dashboard.
In the menu, navigate to Developers and then click on API Credentials.
Click the New Credential button and create credentials with the Read users scope.
Record the Client ID and Client Secret. You can always access these credentials by returning to the API Credentials page.
Once you have logged in to OneLogin, you can find your organization's domain in the URL bar of your browser. Remove "https://" prefix and any "/. suffix so that you are left with a domain that looks like this example.onelogin.com. Record the base domain for the next step.
Log into Apono.
Fill in the integration details:
Submit the form when it has been completed, and the new OneLogin integration should appear immediately. Find the OneLogin item in the Apono catalog and navigate to the Connected tab to confirm that the Apono integration was successful.
The Manager Attribute is used by Apono to find each user's manager within the OneLogin system. By specifying a manager attribute name, Apono can accurately locate the manager associated with each user. If the attribute name is not specified, Apono will default to using OneLogin's predefined attribute, which is Manager.
If you prefer not to use OneLogin's default method, you have the option to utilize Custom Attributes in OneLogin to specify the user manager.
Note that the manager attribute must contain either the manager's email address or their ID (OneLogin user ID).
For additional information on how to configure custom attributes in OneLogin, please refer to Custom User Fields in the OneLogin Knowledge Base.
Return to the Integrations page Connected tab where you will see that OneLogin is now active. Click it to view the details of the integration.
With a successful connection to OneLogin, you can now create access flows for the resource.
Refer to Troubleshooting Errors for information about errors that may occur.
Apono Premium
Apono plan providing the most features and dedicated account support
Google User Account
Google user account with the following admin API privileges:
Users: Read
Groups: Read
Microsoft Entra ID Admin Permission |
How to use the IdP Manager attribute for manager approval Access Flows
Some access policies, especially around sensitive access, customer data, production access or high environments and strong permissions, require manager approval for the user requesting access.
Apono supports this use case out-of-the-box, by automatically syncing the manager attribute from your IdP.
Then, all you have to do is set the Access Flow approver to Manager, and that's it! Apono continuously refreshes it's IdP data, so when managers change in the organization, so does Apono's Access Flows.
Integrate your IdP with Apono. Read more here.
Create a new Access Flow or edit an existing one.
Replace "Automatic" approval with "Manager" approval:
That's it! Managers will now be required to approve access requests before access is granted to the user.
Once the request is submitted, if the Access Flow is set for Manager approval, the user's manager will get a notification to approve the access:
The manager can review the request and decide whether to approve or reject it.
If the manager approves the access request, the requester will receive another message with the access details and instructions on how to log in to the requested resource.
Create an integration to manage access to a OneLogin instance
Administrators can create groups to manage settings and access to services for different sets of users. Users can utilize groups to manage and secure access to applications and data across different devices and environments.
Through this integration, Apono helps you securely manage access for sets of users in your OneLogin instance.
| Item | Description |
|---|---|
You must create credentials in your OneLogin instance for the Apono connector.
Follow these instructions to create the credentials:
Log in to OneLogin Admin UI using an admin account with Super User privileges.
Click Administration.
In the menu, click Developers > API Credentials. The Create new API credential page appears.
Click New Credential.
Create a new credential with the Manage users scope.
Using the credentials from the previous step, create a secret for the OneLogin instance.
You can now integrate your OneLogin instance.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
On the Catalog tab, click OneLogin Group. The Connect Integration page appears.
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (AWS, Azure, GCP, Kubernetes).
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Now that you have completed this integration, you can create access flows that grant permission to your OneLogin instance.
Create an integration to manage access for your HiBob users
HiBob is a Human Resources (HR) platform designed to streamline and optimize HR processes. This platform contains employee information and associated attributes.
By integrating with Apono, you can sync your HiBob users with Apono and create access flows based on attributes defined in the HiBob platform.
| Item | Description |
|---|
Follow these steps to complete the integration:
On the tab, click HiBob. The Add Integration page appears.
Enter an Integration Name. This is a unique, alphanumeric, user-friendly name used to identify the integration when constructing an access flow.
Enter the Domain of your HiBob organization.
(Optional) In the Custom Attributes field, enter the API ID value of the HiBob field in a comma-delimited list, such as root.email, work.startDate.
Apono automatically adds the Site, Department, and Is A Manager attributes.
Under Secret Store, enter the Service User ID and Service User Token.
Click Connect.
Create an integration to manage users through an LDAP Group
LDAP Groups are fundamental Lightweight Directory Access Protocol (LDAP) components. They enable centralized management of user permissions and access to network resources in complex IT environments.
Through this integration, Apono helps you securely manage the access of your users.
| Item | Description |
|---|
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Create an integration to manage access for sets of people in your Google Workspace
Groups in Google Workspace allow for communication and collaboration within an organization. Administrators can create groups to manage settings and access to services for different sets of users. Users can utilize groups for activities, such as team communication, document sharing, and meetings.
Through this integration, Apono helps you securely manage access for sets of users in your Google Workspace.
The groups feature in Google Workspace differs from the Google Groups product.
Before starting this integration, be sure to acquire the items listed in the following table.
In your Google Workspace, you must add the service account associated with the Apono connector to the Groups Admin role.
Use the following steps to assign this role:
Click Assign admin. The Groups Admin page appears.
Click Assign service accounts. The Assign role - Groups Admin modal appears.
Under Add service accounts, enter apono-connector-iam-sa@$PROJECT_ID.iam.gserviceaccount.com. Be sure to replace $PROJECT_ID with the project ID where the connector is installed.
Click ADD.
Click ASSIGN ROLE.
You can also use the steps below to integrate with Apono using Terraform.
In step 8, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
Create an integration to manage access for sets of people in your Okta Group membership
Administrators can create groups in Okta to efficiently manage access rights and application settings for distinct sets of users. Users can leverage groups to streamline and secure their access to various applications and resources across multiple devices and environments.
Through this integration, Apono helps you securely manage access for sets of users in your Okta Group instance.
| Item | Description |
|---|
This article provides a simplified guide to creating an Okta application for use with Apono.
Since Okta products evolve, we strongly recommend verifying the steps in this documentation with Okta's official .
Follow these steps to create an Okta app:
In your Okta admin dashboard, from the main side navigation, click Applications > Applications > Create App Integration. The Create a new app integration popup window appears.
Select API Services.
Click Next. The New API Services App Integration page appears.
Enter an App integration name, such as Apono Connector.
Click Save. The application settings page appears.
and a secret for Apono.
of the application.
.
.
Use the following steps to generate your client credentials:
For the OKTA Groups integration, use an OKTA API Services app that only has one key pair.
On the General tab, under Client Credentials, click Edit.
Copy and save the Client ID.
For the Client authentication, select Public key / Private key. The PUBLIC KEYS section appears.
Under PUBLIC KEYS, click Add key. The Add a public key popup window appears.
Click Generate new key.
Under Private key - Copy this!, click Copy to clipboard and save the value.
Click Done.
Click Save. The Existing client secrets will no longer be used popup window appears.
Click Save.
Follow these steps to configure app settings:
On the General tab, under General Settings, click Edit.
For the Proof of possession, uncheck Require Demonstrating Proof of Possession (DPoP) header in token requests.
Click Save.
Follow these steps to define the scope:
On the Okta API Scopes tab, in the okta.groups.manage row, click Grant. The Grant Okta API Scope popup window appears.
This permission allows Apono to manage existing groups in your Okta organization.
Click Grant scope.
In the okta.users.read row, click Grant.
This permission allows Apono to read the existing users' profiles and credentials.
Follow these steps to grant admin assignments:
On the Admin roles tab, click Edit assignments.
From the Role dropdown menu, select Organization Administrator.
To grant users a membership to a group that contains admin roles, the Super Admin role should be granted to the Apono connector.
Click Save Changes.
You can also use the steps below to integrate with Apono using Terraform.
In step 10, instead of clicking Confirm, follow the Are you integrating with Apono using Terraform? guidance.
Follow these steps to complete the integration:
Under Discovery, click Next. The Apono connector section expands.
From the dropdown menu, select a connector. Choosing a connector links Apono to all the services available on the account where the connector is located.
Click Next. The Integration Config section expands.
Define the Integration Config settings.
Click Next. The Secret Store section expands.
Click Next. The Get more with Apono section expands.
Define the Get more with Apono settings.
Click Confirm.
On-prem serving as a bridge between an Azure AD instance and Apono NOTE: Be sure that the Groups Administrator and Privileged Role Administrator roles have been added to the connector.
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
| Parameter | Value |
|---|---|
Microsoft Entra ID account with , such as User Administrator, that can grant permissions to an app
| Setting | Description |
|---|---|
| Setting | Description |
|---|---|
Now that you have completed this integration, you can create that grant your HiBob users access to your resources.
On the tab, click LDAP Group. The Connect Integration page appears.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
| Setting | Description |
|---|
.
| Setting | Description |
|---|
Refer to for more details about the schema definition.
Now that you have completed this integration, you can that grant access to members of your LDAP Group.
| Item | Description |
|---|
On the page, hover over the Groups Admin row. Several menu options appear.
On the tab, click Google Group. The Connect Integration page appears.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a .
| Setting | Description |
|---|
| Setting | Description |
|---|
Refer to for more details about the schema definition.
Now that you have completed this integration, you can that grant permissions to groups within your Google Workspace.
for your Okta instance with your Okta client ID and private key.
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal .
You can also input the directly into the Apono UI on the Apono tab in the Secret Store section.
On the tab, click Okta Group. The Connect Integration page appears.
If the desired connector is not listed, click + Add new connector and follow the instructions for creating a connector (, , , ).
| Setting | Description |
|---|
.
| Setting | Description |
|---|
Refer to for more details about the schema definition.
Now that you have completed this integration, you can create that grant permission to your Okta Group instance.
Integration name
Your name for the integration. It will be used when managing Access Flows
Domain
Your organization's OneLogin base domain from the previous step
Client ID
The Client ID from OneLogin's API credentials created above
Client Secret
The Client Secret from OneLogin's API credentials created above
Group Mapping Strategy
Select how users from OneLogin should be mapped to Apono. The choices are: - Groups: Use the default OneLogin groups for mapping - Roles: Use OneLogin Roles to map users to groups
Custom Manager Attribute Name
If necessary, specify the name of the OneLogin attribute that contains users' manager names. For more information, see below
Apono Connector
On-prem connection serving as a bridge between an OneLogin instance and Apono:
OneLogin Super User Account
OneLogin account that possesses user management permissions
OneLogin Organization Subdomain
Unique subdomain of your OneLogin instance Follow these steps to obtain the subdomain:
Log in to OneLogin.
Copy the subdomain from the URL in the address bar. Be sure to remove the protocol (https://), onelogin.com domain, and any suffix.
Integration Name
Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow
Subdomain
OneLogin subdomain
Custom Access Details
(Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview.
Integration Owner
(Optional) Fallback approver if no resource owner is found Follow these steps to define one or several integration owners:
From the Attribute dropdown menu, select User or Group under the relevant identity provider (IdP) platform.
From the Value dropdown menu, select one or multiple users or groups.
NOTE: When Resource Owner is defined, an Integration Owner must be defined.
Resource Owner
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several resource owners:
Enter a Key name. This value is the name of the tag created in your cloud environment.
From the Attribute dropdown menu, select an attribute under the IdP platform to which the key name is associated. Apono will use the value associated with the key (tag) to identify the resource owner. When you update the membership of the group or role in your IdP platform, this change is also reflected in Apono.
NOTE: When this setting is defined, an Integration Owner must also be defined.
Integration Name | Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow |
LDAP Server URL | URL for the LDAP server The following are the default LDAP ports to append to the server URL:
|
Self signed server or CA certificate | (Optional) Self-signed certificates or base64-encoded certificate of the self-signed LDAP server or CA certificate Leave this field blank unless the LDAP server does NOT have a properly-signed certificate with a public CA. |
Domain | Domain of the LDAP Server Example: dc=example, dc=com |
Groups Scope | (Optional) Scope of the groups When a scope is entered, Apono will only fetch groups within the specified scope. If this field is blank, Apono will fetch all groups within the LDAP directory. |
Users Scope | (Optional) Scope of the users When a scope is entered, Apono will only fetch users within the specified scope. If this field is blank, Apono will fetch all users within the LDAP directory. |
User Email Attribute | (Optional) Attribute of user emails When an attribute is defined, it enables Apono to determine which email to use. A user email attribute is helpful when users have multiple email addresses. If a user has multiple email addresses, each email address must exist within both the LDAP directory and Apono. |
Integration Name | Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow |
Customer ID | Unique Google account ID |
Integration Name | Unique, alphanumeric, user-friendly name used to identify this integration when constructing an access flow |
Okta Organization URL | Organizational URL of the Okta instance to connect |
HiBob Account Access | HiBob account with admin privileges |
HiBob Service Account ID & Token | You will input these values in the Secret Store section of the Apono UI. Be sure the service account has access permissions to all required fields. |
Additional HiBob Fields | (Optional) HiBob field values used by Apono as custom attributes to define access flows Follow these steps to obtain the attribute values:
Example: The HiBob API returns the following list. To add Start date to the Apono UI as a custom attribute, copy the |
Custom Access Details | (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview. |
Integration Owner |
NOTE: When Resource Owner is defined, an Integration Owner must be defined. |
Resource Owner |
NOTE: When this setting is defined, an Integration Owner must also be defined. |
Apono Connector |
Apono Premium |
Google Workspace Super Admin Role | User role enabling your user account to configure settings in Google Workspace |
Google Workspace Customer ID |
Custom Access Details | (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview. |
Integration Owner |
NOTE: When Resource Owner is defined, an Integration Owner must be defined. |
Resource Owner |
NOTE: When this setting is defined, an Integration Owner must also be defined. |
Apono Connector | On-prem connection serving as a bridge between an Okta Group instance and Apono: |
Okta Account Access | Okta account with Super Admin privileges to the Okta admin dashboard |
Custom Access Details | (Optional) Instructions explaining how to access this integration's resources Upon accessing an integration, a message with these instructions will be displayed to end users in the User Portal. The message may include up to 400 characters. To view the message as it appears to end users, click Preview. |
Integration Owner |
NOTE: When Resource Owner is defined, an Integration Owner must be defined. |
Resource Owner |
NOTE: When this setting is defined, an Integration Owner must also be defined. |
Okta users and groups provisioning integration with SCIM
If your organization uses Okta SCIM to manage your employees’ access to apps, tools and services, you can take advantage of Okta’s “Provisioning” feature to automatically sync users and groups to Apono, allowing you to create just-in-time group membership based on Access Flows and user requests.
The integration between Okta and Apono that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Okta works with SCIM, please see this article.
The remainder of this guide is focused on enabling you to configure both Apono and Okta to get provisioning up and running for your organization.
The following provisioning features are supported by Apono:
Push Users. Users in Okta that are assigned to the Apono SCIM application in Okta are automatically added as members to your Apono's integrated account.
Push User Attributes. User profile information in Okta synchronization between Okta and Apono's integrated account identities.
Push Deactivate User. Deactivating or removing user in Okta terminates the user in Apono.
Push Groups. Groups and their members in Okta can be pushed to Apono.
Okta organization with admin access (see Okta Organization Administrators ).
Go to Integrations, under Environment from the left navigator.
Under Integrations, click the Catalog tab and select Okta Directory (SCIM) under IdP category.
In Okta Directory (SCIM) integration page enter the following:
Integration Name. Unique, alphanumeric, user-friendly name.
Domain. Your OKTA organization domain name. Can be found in Okta admin portal, below your username in the upper right corner, as follow:
Groups to Sync (optional). List of group names to sync in the following structure: group1,group2.group3.
Click Connect to initiate the integration.
The connector is initializing, and it will still that way until the intergration is complete and the two applications talk with each other.
In the meantime, click the vertical three dots to the right and click Edit.
Copy the browser's URL. It looks like this:
https://app.apono.io/catalog/edit-integration/XXXXX-XXXXX-XXXXX-XXXXX
The URL suffix is the Integration ID. Save this for Okta provisioning described below.
Log in to your Okta admin portal and complete the following steps:
Under the Applications tab, select Browse App Catalog and search and add Apono SCIM app.
Under the Applications tab, navigate to the Apono application.
Click on the “Provisioning” tab in the application. Under the “Integration” panel, click the "Configure API Integration".
Check the "Enable API integration" checkbox.
For the Connection ID, enter the Integration ID part of the URL saved from the Apono integration above.
Click on "Authenticate with Apono" and Save.
Go to “To App” panel. click on edit "Provisioning to App" and check the "Enable" checkbox next to:
Create Users
Update User Attributes
Deactivate Users
Click Save.
Okta integration is only possible with an organization account, not a personal Gmail account.
Admin User | Admin user on the LDAP server created for the Apono connector |
Apono Connector | On-prem connection serving as a bridge between an LDAP server and Apono: The connector must have Admin permissions to LDAP in order to manage JIT access to LDAP groups. |
Apono Secret |
LDAP Information | Information for the LDAP server:
* This information is only necessary when the note is applicable. |
HiBob
of all your company fields.
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
On-prem serving as a bridge between a GCP instance and Apono
providing the most features and dedicated account support
Unique account ID On the page, under Profile, copy the Customer ID.
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
(Optional) Fallback approver if no is found Follow these steps to define one or several integration owners:
(Optional) Group or role responsible for managing access approvals or rejections for the resource Follow these steps to define one or several :
Value generated with the credentials of the user you create based on the LDAP user credentials and connector you are using.
Apono does not store credentials. The Apono Connector uses the secret to communicate with services in your environment and separate the Apono web app from the environment for maximal .
