This guide will take you through the steps for configuring Okta as the SAML IDP for your HyperComply account, allowing your users to authenticate to HyperComply through Okta instead of the usual email/password combination.
What to expect:
First we’ll log into HyperComply and copy a value we’ll need for Okta configuration.
Next we’ll create the HyperComply Okta “Application” and configure it for HyperComply SAML.
Finally we’ll copy some values from our new Okta Application into HyperComply so HyperComply can securely validate SAML assertions from Okta.
HyperComply Configuration
Navigate to https://app.hypercomply.com/settings/saml_config
Copy the value of the “SAML ACS Endpoint” at the bottom of the screen.
Keep this tab open and complete the steps below, you will need to enter some values from Okta on this screen at the end of this process.
Step-by-step instructions for SAML
Okta Application Creation
1. Log into Okta as an administrator
2. Navigate to Applications/Applications and click “Create App Integration”
Choose “SAML 2.0” and click “Next”
Enter display details for the new Application as normal. Click “Next”.
Paste the “SAML ACS Endpoint” URL copied from the HyperComply settings into the “Single sign on URL” and “Audience URI” fields.
Set “Name ID format” to “EmailAddress”
Set “Application username” to “Email”
Add these attributes to the “Attribute Statements” section:
Name | Name format | Value |
Unspecified | user.email | |
firstName | Unspecified | user.firstName |
lastName | Unspecified | user.lastName |
respondRole | Unspecified | user.respondRole |
dueDiligenceRole | Unspecified | user.dueDiligenceRole |
teamRole | Unspecified | user.teamRole |
These attributes enable roles to be passed from Okta to HyperComply during a SAML OAuth authentication.
3. Click “Next” then “Finish”
4. In the “Sign On” tab of the newly created “HyperComply” application, click the “View SAML Setup Instructions” button.
Note: this section requires copying values from Okta into the HyperComply SAML configuration form opened in the “HyperComply Configuration” section above. If you don’t have the tab open anymore, return to the page here: https://app.hypercomply.com/settings/saml_config.
In Okta: copy the value from the “Identity Provider Single Sign-On URL” field
In HyperComply: paste the value into the “IDP Endpoint URL” field
In Okta: copy the value from the “Identity Provider Issuer” field
In HyperComply: paste the value into the “IDP Entity ID” field
In Okta: copy the value from the “X.509 Certificate” field
In HyperComply: paste the value into the “IDP Certificate” field
In HyperComply: check the “Enable SAML” checkbox and click “Save”.
At this point you have completed connecting your Okta SAML IDP to HyperComply, now allowing users to log into HyperComply from Okta. Any user that logs into HyperComply via Okta will have an account created for them (if they don’t already have an account). Allowing Okta users to log into HyperComply can be done by adding users to the HyperComply “Application” you created above in Okta.
Assign HyperComply roles to users from Okta
You can automatically assign roles in HyperComply by mapping them from Okta using SAML attributes. Follow the steps below to configure this setup.
Add users to HyperComply Application in Okta
Navigate to Applications/Applications and select your HyperComply application
In Assignements tab, Click Assign/Assign to People and click "Assign" on the user you want to add and "Save" and "Done
Add Role Attributes to the Application
Navigate to Directory/Profile Editor and click on the Application you created
Click "Add attribute" and create attributes (Refer to the step 2 table below)
Assign HyperComply roles to each user
Go back to Applications/Applications
Click on the pencil icon next to the user you would like to edit
Fill in the appropriate values for each role attribute (Refer to the step 3 table below) and click "Save"
⚠️ Important: Role names must exactly match those defined in HyperComply for mapping to work correctly. Role-based access control (RBAC) must be enabled in your account. Contact your Customer Success Manager for more details.
Enable role synching in HyperComply
Navigate to SAML Configuration Settings
Check the box for "Sync user roles from SAML"
Step 2: Role attributes
Display Name | Variable name |
Respond Role | respondRole |
Due Diligence Role | dueDiligenceRole |
Team Role | teamRole |
Step 3: Accepted Role Values
Display Name | Roles |
Respond Role |
|
Due Diligence Role |
|
Team Role |
|
Step-by-step instructions for SCIM
SCIM Configuration
By default, any SAML provider will use Just In Time user provisioning, meaning that a user authorized in Okta will have an account provisioned for them as they log into HyperComply via SAML for the first time. To have users synced directly between Okta assignments and HyperComply, you can enable SCIM provisioning:
In the ‘HyperComply’ Okta App Settings, click Edit
Under provisioning, select SCIM
Click “Save”
You will now see a “Provisioning” tab available - click it.
Under SCIM Connection, click “Edit”
In HyperComply, navigate to the SAML configuration screen here.
Under SCIM Configuration, click “Enable SCIM”
Copy the “SCIM Endpoint URL” and paste it into the field “SCIM connector base URL” in Okta
For “Unique identifier field for users”, enter “email”
For “Supported provisioning actions”, enable all
For “Authentication Mode”, select “HTTP Header”
Click “Create SCIM Token” in HyperComply and copy the token shown in the “Bearer Token” field into the “Authorization” field in Okta
Click “Test Connector Configuration”, you should see a success screen with checkmarks next your desired actions.
Click “Save”
You have now enabled SCIM for the application. You can now enable the desired Provisioning Actions in Okta. Note that “Sync Password” is not currently supported.
Assign HyperComply roles to users from Okta using SCIM
Follow the steps below to configure this setup.
Add Role Attributes to the Application
Navigate to Directoty/Profile Editor and select your HyperComply application
Click "Add attribute" and create attributes for Respond, Due Diligence and Team Role (Refer to the step 1 table below)
Add users to HyperComply Application in Okta and assign them a role
Navigate to Applications/Applications and select your HyperComply application
In Assignements tab, Click Assign/Assign to People and click "Assign" on the user you want to add and
Fill in the appropriate values for each role attribute (Refer to the step 3 table below)
⚠️ Important: Role names must exactly match those defined in HyperComply for mapping to work correctly. Role-based access control (RBAC) must be enabled in your account. Contact your Customer Success Manager for more details.Click "Save and Go back" and "Done"
Enable provisioning
Navigate to Applications/Applications and select your HyperComply application
In Provisionning tab, click "Edit" and enable all and Click "Save"
Enable role synching in HyperComply
Navigate to SAML Configuration Settings
Check the box for "Sync user roles from SCIM"
Step 1: Role attributes
Display name | Variable name | External name space |
Respond Role | respondRole | urn:ietf:params:scim:schemas:extension:hypercomply:2.0:User |
Due Diligence Role | dueDiligenceRole | urn:ietf:params:scim:schemas:extension:hypercomply:2.0:User |
Team Role | teamRole | urn:ietf:params:scim:schemas:extension:hypercomply:2.0:User |
Step 2: Accepted Role Values
Display Name | Roles |
Respond Role |
|
Due Diligence Role |
|
Team Role |
|
If you have any further questions or troubles regarding your setup, contact us through the help center chat.