Step 6 — For Okta: Create IdP Profile, Import Metadata, and Edit Settings in ExtremeCloud IQ

To see the Enable SSO Global Settings option, log in to ExtremeCloud‌ IQ using the SSO URL, https://sso.extremecloudiq.com/login?sso=true.

Note

Single Sign-on integration can only be configured by ExtremeCloud‌ IQ users with Administrator permissions in their home account (VIQ). External administrators cannot access the SSO configuration page when administering other customer accounts.

In ExtremeCloud‌ IQ, select your name in the top right corner, and then select Global Settings.
Select Enable Single Sign On (SSO).
Select Add IdP Profile.
On the Type tab, select Okta.
On the Profile tab, enter the fully qualified Domain name for which you want to provide single-sign on, and then select Continue.

Note
You can only define a single domain name per integration. If your IdP supports multiple domains, you must create a separate IdP profile for each domain.
On the IdP Connection tab, select Import from URL.
In the ISP Metadata URL field, paste the URL captured in Step 5, and then select Import.
After successful import, metadata from Okta displays.
Note
There might be some critical elements not included in the Okta metadata. If the SLO URL and SLO Response URL fields are blank, enter placeholder values in each field, which we can update in a subsequent step.
To supply the placeholder values, copy the SSO URL and paste the value into the SLO URL and SLO Response URL fields.
From the Choose Certificates list, ensure the certificate that was included in the Metadata import is selected, and then select Continue.

ExtremeCloud IQ - Placeholder Values for Single Logout
On the Attribute Mapping page, enter the following values:
- First Name: user.firstName
- Last Name: user.lastName
Select Add a group name mapping for each Okta group to map to an ExtremeCloud‌ IQ role.
In the IdP group field, enter the name of your Okta group, and then select the ExtremeCloud‌ IQ role to map any users in the group.
Add additional mappings as needed.
Note
Each of the values for First Name, Last Name, and Group Name are case sensitive. Ensure that what you enter here exactly matches the information in Okta. The list is applied from top to bottom, with the first match taking precedence. If a user belongs to multiple groups listed here, they will be assigned the XIQ role based on the order you specify.
Select a Default RBAC role assignment to assign a default permission for users that log into ExtremeCloud‌ IQ, but are not a member of an explicitly defined group.
- If you select Deny User Login, a user that successfully logs into ExtremeCloud‌ IQ with their Okta credentials, but is not in an Okta group mapped to XIQ RBAC role, is denied access to the application.
- If you select Allow User Login and assign default user group, a user that successfully logs into ExtremeCloud‌ IQ with their Okta credentials, but is not in an Okta group mapped to XIQ RBAC role, is mapped to the role defined here.
Select Save & Finish.